1 / 29

Practical Electronic Voting Schemes

Practical Electronic Voting Schemes. Peter Landrock ECC, Copenhagen 2005. The company. Software house Established in 1986 Spin-off from University of Aarhus World-Class Cryptographers - Vincent Rijmen, Ivan Damgaard….

terah
Télécharger la présentation

Practical Electronic Voting Schemes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Practical Electronic Voting Schemes Peter Landrock ECC, Copenhagen 2005

  2. The company Software house Established in 1986 Spin-off from University of Aarhus World-Class Cryptographers - Vincent Rijmen, Ivan Damgaard… Cryptomathic provides secure electronic solutions for web-banking, card issuing and advanced key management with almost 20 years of experience.

  3. Innovation beyond competiton World Economic Forum Nominated as one of the most innovative companies in Europe at Davos 2003

  4. Infineon #1 in semiconductors +33,000 employees Founders Prof. Peter Landrock, Prof. Ivan Damgaard Prof. Jørgen Brandt, Dr. Torben Pedersen University Spin-off Company Ownership

  5. Office Locations Cambridge, UK UK & USA Aarhus, DK Head Quarter R & D Leuven, BE Benelux Copenhagen, DK Scandinavia Amaro, IT ECEO - Partner Munich, DE Central Europe

  6. Products and Offerings Products Custom Solutions Professional Services

  7. Authenticator PKI CardInk EMV / ID PrimeInk Toolkits Signer Key Management System (KMS) Selected Products

  8. The Switch from Manual Elections • General idea behind Electronic Voting: • like manual voting - only much faster and cheaper, but • is the voter able to verify that what he enters is actually what is recorded? • can official monitoring verify that one vote is recorded – correctly – for each voter? • can we trust the counting process? • and • is it socially acceptable? • Well, let’s start with the requirements:

  9. Requirements for an e-Voting Scheme • Privacy: • only the final result is made public, no additional information about votes will leak. • Robustness: • the result reflects all submitted and well-formed ballots correctly, even if some voters and/or possibly some of the entities running the election cheat. • Universal verifiability: • after the election, the result can be verified by anyone.

  10. How to meet these requirements? • we obviously need cryptographic techniques • but tamper resistant devices as well • and we need to provide • appropriate protocols and mechanisms to meet these requirements • which we will be discussing • digital signatures to identify voters

  11. Specification • This does NOT imply that we need an independent X.509 PKI system in place • But we will assume we have an existing registration scheme in place • otherwise there is no democracy in the first place! • so we can send something out to a voter by mail, like a PIN-mailer • which he may use for electronic registration • at which stage a public key pair is generated for his use, and the private key is stored securely in a central server • all using HSMs • the private key never leaves the HSM controlled environment

  12. Specification • This registration could take place • at home from the voter’s own work station • or at a polling station • where he presents a fairly traditional voting card received in the mail for proper identification and counting • and uses an additional small slip with a PIN or similar to vote, as in the vote home scenario • using the PIN for identification

  13. Counting votes • is easy in binary: • Example • 5 candidates, 128 voters • 40 bits voting ballot • Candidate A: 00000000...................00000001 • Candidate B: 00000000.....0000000100000000 • ... • Candidate E: 000000010..............................0 • The sum of the votes reveales how many votes each candidate obtained

  14. Counting the votes • Let alone the issues of anonymity etc., • adding up votes electronic could be virtually instant • In order to meet some of all our requirements, it would be extremely useful with the following property • Given any two votes, m1 and m2, and their encryption, P(m1), P(m2), assume P(m1)+P(m2) =P(m1+m2), • even better, if we can “randomise” to anonymise using individual random numbers ri for each vote, and we have the property P(m1,r1)+P(m2,r2) =P(m1+m2,R) for some number R, then

  15. e-Voting • we call P(.,.) a homomophic public key if: for any set of votes, there always exist some R (which will vary with the votes) with ∑P(xi,ri) = P(∑xi,R) • Now we have it (if such a function exist)! • the voter • cast his electronic vote x • the application • chooses a random number r and calculate P(x,r) • signs and forwards SA(P(x,r)) • the authenticating server • verifies the signature and forwards P(x,r) for counting • the counting server • calculates ∑P(xi,ri) = P(∑xi,R) and descrypts to recover ∑xi, while R is discharged • the result is available less than 1 minute after the closing of the polling stations

  16. Another cryptographic tool: • zero-knowledge • it is actually possible to verify that a vote is the encryption of a correctly filled ballot • without revealing anything else about the vote! • this means that a votes cannot successfully include more than one legal vote in his ballot • this involves commitment schemes • but it is quite likely that politicians don’t buy it 

  17. Ingenious!? • if EVERYBODY votes electronically, yes • but the choice is political • it could save some embarrassment, though, here and there  • Applications in the near future • closed groups of users who already communicate together electronically • e.g. organisations as IEEE • stock holders in large companies (e.g. IBM) • Anyway, let’s see how it works

  18. homomorphic encryption • We start with an ElGamal encryption scheme • Let E be an elliptic curve, P a generator of a large cyclic group of prime order • Let Q = xP be a public key, where x is the private key • Represent a message m by the point M in E and encrypt as (rP;M+rQ) • Decryption of a ciphertext (U;V) takes place by computing (xU,V-xU) • This system is “semantically secure under the generalized DH assumption”o far so good

  19. homomorphic encryption • We now need to combine this idea with the vary basic naïve counting method we described earlier • Example • assume there are s candidates and less than t voters • Choose a point B such that the order of B is at least ts • Let candidate j be represented by the point tj-1B • this means that any ballot vote to be encrypted is of the form tj-1B, j = 1,2,…,s • the sum of all the votes will be equal to M =t1B+t2tB+…..tsts-1B = (Σ tjtj-1)B, where tj is the number of votes for candidate j

  20. homomorphic encryption • So given M =(t1+t2t+…..tsts-1)B, • how do we find t1, t2,…..,ts? • By solving the discrete log problem! • Well!? ? ? • This is easily done by choosing B wisely for most schemes • example: Suppose t ~32 mill <225 and s=2 • then the order of B is bounded by 250.

  21. Some references • R.Cramer, R.Gennaro, B.Schoenmakers: • A Secure and Optimally Efficient Multi-Authority Election Scheme, • Proceedings of EuroCrypt 97, • I. Damgård and M. Jurik: • A Generalisation, a Simplification and some Applications of Paillier's Probabilistic Public-Key System • Proc. of Public Key Cryptography 2001 • P.Pallier: • Public-Key Cryptosystems based on Composite Degree Residue Classes, • Proceedings of EuroCrypt 99, • I. Damgård, J. Groth and G. Salomonsen • The Theory and Implementation of an Electronic Voting System • Secure Electronic Voting, Advances in Information Security, Vol. 7 Gritzalis, Dimitris (Ed.)

  22. (5) (2) (1) (4) (3) (4) Voting using HSMs/SMS (1) User logs on to vote (3) Key-server request one-time SMS (2) e-Vote web server requests user to vote (4) Auth-server forwards one-time SMS to User and Key-Server (5) Initiate vote and sign Back-end Key Server User HSM e-Vote Web server Authenticator Server HSM

  23. (5) (2) (1) (4) (3) Voting using HSMs/Tokens,….. (5) User initiate Voting and signing • User logs on to e-Vote WS • generating one-time PW (3) Key Server request verification of one-time PW (2) e-Vote web server request user to vote (4) Authenticator verifies one-time PW Back-end Key Server User HSM e-Vote Web server Authenticator Server HSM

  24. Using tamper resistant HSMs • is an alternative to e.g. using • zero-knowledge techniques • mix-nets • the HSM will only allow legal votes before it signs on behalf of the voter • By using independent servers for • user authentication • signing and voting • we can effectively prevent all fraud

  25. Detecting cheating • If citizens vote at polling stations • all this could be combined with a touch screen for voting • printing a ballot for traditional voting • for all or a small randomly chosen sample • and an electronic vote as just described • Samples could then be matched with the corresponding electronic votes • and basic statistics would tell us how many we need to check for an acceptable confidence level • Consider an example:

  26. Detecting cheating • By having ballots printed voters are provided with the service that • they can see what they have voted on paper, and they have the same level of certainty as at a manual election, • their vote will count, provided that a manual recount actually takes place. • Almost no information is gained by checking a few votes in a district. The only action that makes sense is to make total recounts in a selection of districts. • However, if say a manual recount takes place in 10% of the districts, this gives a 10% chance of catching the manipulation of votes in a particular district for a particular election.

  27. Detecting cheating • Consequently quite comprehensive recounting is necessary in order to ensure that the mechanism works as intended • not only by revealing attempted frauds, but also by preventing attempts of fraud from happening by acting as a deterrent. • Our approach here allows the following core properties: • Electronic votes may contain encrypted information identifying the election district and the manual vote. • The electronic votes are detached from the identities of the voters and then decrypted. • We can pick a random sample of all the electronic votes of an arbitrary size. • Say that we want to ensure with 99% probability that at most 1% of the electronic votes are tampered with, i.e. contain different choices than the ones entered by the voters. • Then we pick 459 random electronic votes. For each of those, if at least 1% of the electronic votes contain different choices than the corresponding manual votes, it has less than a 99% chance of passing the test of being compared to the corresponding manual vote. • Consequently there is a probability of less than 0.99459 = 0.009921 that all of them pass the test.

  28. Detecting cheating • For the ultimate case, • a general election in the US say, • by manipulating 459 votes out of maybe 100 million votes and causing the rather simple procedure to happen in 459 randomly chosen election districts, you actually get quite confident that no large scale fraud takes place with the electronic votes • had this been implemented in 2000, the world migth have looked different….

  29. Conclusion • We have described practical voting schemes • which have been tested in pilots • They require instant key generation upon registration • without requiring PKI in place • which for million of voters would be • practically impossible using RSA • quite trivial using ECC • and we can make it as secure as we want • at low cost

More Related