A Secure and Optimally Efficient MultiAuthority Election Scheme

1
A Secure and Optimally Efficient Multi-Authority
Election Scheme Ronald Cramer, Rosario Gennaro,
Berry Schoenmakers Appears in Walter Funny
(ed.) EUROCRYPT '97, LNCS 1233, pp. 103-118.
Springer-Verlag Berlin Heidelberg 1997 Presented
by Adeel Hasan, hasa9053_at_cs
2
Criteria for Electronic Voting Mechanisms

• Voter Privacy
• Vote Non Duplication
• Universal Verifiability
• Protection against fraudulent authorities
• Incoercible
• Receipt-free
• Feasibility of processing complexity

3
Summary

• A bulletin board model is used for the submission
  of ballots.
• A ballot consists of an encrypted vote and a
  zero-knowledge proof of its validity.
• The mathematical properties of the encrypted vote
  allow calculating the tally of the votes without
  compromising privacy.
• Votes are encrypted with the public key of
  authorities who share a private key under a
  threshold scheme.
• Universal verifiability is achieved by examining
  the transcripts of the sessions posted
• The scheme used is very efficient - the ballot
  size is small and the computations are
  straightforward
• Except for receipt-freeness, meets all other
  criteria

4
The Bulletin Board Model
From digicash.com

• A bulletin board is like a broadcast channel with
  memory to the extent that any party (including
  passive observers) can see the contents of it,
  and furthermore that each active participant can
  post messages by appending the message to her
  designated area. No party can erase anything from
  the bulletin board.
• Communication with the bulletin board model can
  utilize a public key system already in place. For
  example, signatures can be used to authenticate
  user postings.
• The intermediate and final results posted on the
  site implement universal verifiability

5
Homomorphic Encryption
Given a message space M, and cipher space C. M
is a group under operation ? C is a group under
operation ? E is a homomorphic encryption scheme
if given c1 Er1( m1 ) and c2Er2( m2 ), there
exists an r such that c1 ? c2 Er( m1 ? m2
) Therefore given c1...cn single vote
encryptions, the tally can be calculated as c
c1 ? c2 ? c3 ... ? cn The ElGamal encryption
scheme satisfies these conditions.
6
Diffie Hellman Key Exchange
Alice and Bob agree on a large prime n , and g,
such that g is primitive mod n
Alice choose a random large integer x Sends over
X g x mod n Alice computes k Yx mod n
gyx mod n
Bob chooses a random large integer y Sends over
Y g y mod n Bob computes k X y mod n
gxy mod n
Anybody listening in would have to solve a
discrete logarithm to know x or y. Imagine that
Alice is the Voter, and Bob is the
Authority. Alice sends over ( X , hx M mod n )
to Bob, where h gy mod n, and y is the secret
held by Bob, and h is public M is the plain text
or the vote Bob can decrypt by making use of
(gy)x M Xy M ? M (hx M mod n ) / Xy
7
ElGamal Encryption
p is a large prime, and g public The private key is x and is a random
number. The public key y is computed as y gx
mod p To encrypt M, choose a random k such that
k is relatively prime to p - 1. a gk mod p b
yk M mod p The pair ( a, b ) is the cipher
text. To decrypt, compute M b / ax
8
ElGamal Encryption in Voting Scheme

• p and g and a generator G are public
• The private key s is a secret shared by the
  authorities
• h is the public key, h gs mod p
• a is a value chosen by the voter when encrypting
  the vote
• Ballot is an encryption of the form
• ( x, y ) ( ga , haGm ) for m ? 1,-1
• The product ( x1x2, y1y2 ) is an encryption of (
  Gm1 m2 )

9
Zero Knowledge Proof for Vote Validity
Proof of knowledge for loggx loghya
Verifier c of Zq Verify gr axc ( gwac
gw.gac ) Verify hr byc ( hwac hw.hac )
Prover ( x , y ) ( ga , ha ) w of Zq ( a ,
b ) ( gw, hw ) r w ac
a,b
c
r

• a,b,c the encryption (x,y) are posted on
  bulletin board. The challenge c is computed to be
  voter specific to prevent vote duplication. So
  for voter Vi , ci H (IDi, a, b, x, y).
• For Yes-No votes, two pairs of a and b are posted
  to prove that the vote could be either way

10
Threshold Key-Sharing Scheme

• Use Pedersens scheme a combination of ElGamal
  and the (t,n)-threshold scheme by Shamir.
• Each Authority has a share sj of a secret s which
  can be reconstructed by the cooperation of t
  number of participants.
• The public key h gs is made public to all
  participants. Authorities are committed to these
  shares as the values hj gsj are made public
• To decrypt an encrypted vote of the form ( x, y )
  ( ga, ham ) without explicit re-construction,
  of the secret s,
• 1. Each Authority broadcasts wj xsj and proves
  in zero knowledge that logghj logxwj
• 2. Plain text is recovered as m y / ( product
  of shares )

11
Main Steps of the Protocol

• Voter Vi posts a ballot ( xi, yi ) and a validity
  proof
• When the deadline is reached, the proofs of
  validity are checked by the authorities and the
  product ( X , Y ) ( ? xi , ? yi) is formed.
• The authorities jointly decrypt ( X , Y ) to
  obtain W Y / Xs
• W GT and T logGW, where T is the difference
  between the yes-votes and no-votes, -l and G is the fixed generator used in
  encrypting the votes
• Since the number of voters is small, T can be
  computed by O(l) by iteratively generating G-l ,
  G-l1,until W is found.
• Universally verifiable since any party can
  compute T

12
References
Digicash Web Site http//www.digicash.com/news/a
rchive/voting.html Cramer, Ronald, Rosario
Gennaro, Berry Schoenmakers, A Secure and
Optimally Efficient Multi-Authority Election
Scheme, Appears in Walter Funny (ed.) EUROCRYPT
'97, LNCS 1233, pp. 103-118. Springer-Verlag
Berlin Heidelberg 1997 download from
http//www.digicash.com/news/archive/voting.html
Schneir, Bruce, Applied Cryptography, Second
Edition, Wiley 1996 Radwin, Michael J, An
untraceable, universally verifiable voting
scheme. Download from http//www.radwin.org/mic
hael/projects/voting.html Pedersen, T. P.
Distributed Provers and Verifiable Secret
Sharing Based on the Discrete Logarithm Problem.
PhD thesis, Aarhus University, Computer Science
Department, Aarhus, Denmark, March 1992.