Electronic Voting

1
Electronic Voting

• Presented by Ben Riva
• Based on presentations and papers of
  Schoenmakers, Benaloh, Fiat, Adida, Reynolds,
  Ryan and Chaum

2
Agenda

• Why now-days paper based elections are not
  enough?
• What properties any voting scheme must achieve
  and why it is so hard?
• Few cryptography primitives in a nutshell.
• Schemes that the voter uses a computer in the
  booth.
• Why it is not enough? The concept of
  voter-verifiability.
• Voter Verifiable voting schemes
• Scratch and Vote.
• Rynolds scheme.
• What next?

3
Paper Based Elections

• Flexible
• Simple to understand
• Simple to perform
• Transparent

But, a famous man once said -
"Those who cast the votes decide nothing. Those
who count the votes decide everything."
4
Why Paper Based Elections Are Not Enough?

• Votes can be easily altered.
• Votes can easily be defected.
• Weak privacy.
• Re-counts means almost nothing.

5
What Do We Want?

• Unforgeability No one can falsify the result of
  the voting.
• Eligibility, Unreusability Respectively requires
  that only eligible voters vote and no voter can
  vote twice.
• Auditability, Universal auditability The first
  describes the ability of any individual voter to
  determine whether or not his vote has been
  correctly placed. The second corresponds to the
  ability of any auditor to determine that the
  whole protocol was followed correctly, given that
  votes had been correctly placed.
• Robustness Dishonest participants can not
  disrupt the voting. In particular cheating
  players should be detected and it should be
  possible to prove their malicious behavior and
  finish the voting process and the counting
  without their help.
• Privacy No one can link a voter with his vote.
• Coercion resistance (also called receipt
  freeness) A voter can not prove how he voted.
  This is essential for avoiding vote selling.

6
Why Is It Hard?

• Good privacy and universal verifiability at the
  same time
• Coercion resistance and unforgability

7
Few Cryptography Primitives in a Nutshell
8
One-Way Functions

• A function f D?R is called one-way if
• Computing f(x) is easy.
• Computing f-1(y) for almost all the images is
  hard.
• E.g. (under the DL assumption)
• Prime p and a generator g of Zp.
• f(x) gx (mod p).

9
RSA Cryptosystem

• Famous Public Key cryptosystem
• A key generation algorithm
• Let Npq be the product of two primes
• Choose e such that gcd(e,?(N))1
• Let d be such that de?1 mod ?(N)
• The public key is (N,e)
• The private key is d
• An encryption algorithm
• Encryption of M?ZN by CE(M)Me mod N
• A Decryption algorithm
• Decryption of C?ZN by MD(C)Cd mod N

10
El Gamal Cryptosystem

• Probabilistic, homomorphic public-key encryption
  scheme over a multiplicative group of prime
  order.
• A key generation algorithm
• Publicly choose two large primes q and q such
  that q q-1 , i.e., q qk1 for some integer
  k. We also fix a generator g of Fq. The
  cyclic group G we work with is the one generated
  by g (g)k and has order (q-1)/k q.
• Private key x ? G . Public key y gx.

11

• An encryption algorithm
• To encrypt m ? G we choose uniformly at random r
  ? 1.. q - 1 and output E(q, q, g, m, y r)
  (gr, m yr).
• A Decryption algorithm
• To decrypt a tuple (a,b) we compute m ba-x.
• We abbreviate E(q, q, g, m, y r) to E(m, y r).
• ElGamal Encryption is multiplicative homomorphic,
  meaning - E(m1, yr1)E(m2, yr2) E(m1m2,
  yr1 r2).
• Re-encryption of E(m,yr1) is E(m,yr1)E(1,yr2)
  which results in E(m,yr1r2).

12
Digital Signatures

• We focus on electronic signatures that use
  public-key cryptography.
• E.g. (Based on RSA)
• A key generation algorithm
• Same as in RSA encryption.
• A signing algorithm
• Same as decryption of M?ZN by CD(M)Md mod N.
• A verification algorithm
• Same as encryption of C?ZN by ME(C)Ce mod N.
• Can be calculated and verified by anyone.
• Concept of Blind Signatures

13
Secret Sharing

• Based on the next problem - assuming that there
  are N players, how can a dealer share a secret in
  a way that any group of t (lt N) or more players
  could recreate the secret, but any group of less
  then t players will not be able to do so. Such
  scheme is called (t,N) - threshold secret
  sharing scheme.

14
Shamir Secret Sharing Scheme

• The dealer selects t-1 random integers, which
  forms a t-1 degree polynomial f(x) such that f(0)
  S.
• The dealer calculates f(i) for each player i.
  Those are their private shares.
• Any group of t or more players can recreate the
  polynomial and S (using Lagrange interpolation).

15
Threshold Encryption

• In threshold encryption we have N authorities,
  and we want to encrypt a message in a way that
  any t or more authorities could decrypt it.
  Again, any group of less then t authorities will
  not be able to do so.
• No trusted dealer.
• Solutions are similar to Shamirs scheme
  CGS,Pederson.

16
Zero-knowledge Proofs

• Interactive protocols between two players, Prover
  and Verifier, in which the prover proves to the
  verifier, with high probability, that some
  statement is true.
• Does not leak any information besides the
  veracity of this statement.
• In the case of honest verifier ZKP, we can modify
  the protocol to non-interactive.

17
Zero-knowledge Proof Example

• Let g1, g2 generators of Zq.
• The Prover claims that logg1v logg2w (x) for
  publicly known v, w, g1, g2.
• P chooses random z ? 1..q and sends ag1z,
  bg2z.
• V selects random c ? 1..q and sends it.
• P sends r (zcx) .
• V verifies that g1ravc and g2rbwc
• Can be turned into non-interactive
• C Hash(a,b,v,w).

18
Useful ZKP

• Equality of discrete logarithms
• The prover knows discrete logarithms of v and w,
  and claims they are the same, logg1v logg2w
  (for known g1, g2).
• 1-out-of-L re-encryption
• the prover wants to prove that for a publicly
  known pair (x, y) there is an ElGamal
  re-encryption in the L encrypted pairs (x1, y2 )
  (xL, yL ).
• 1-out-of-L message encryption
• Given L plain-text messages m1 mL, the prover
  wants to prove that a tuple (x, y) is an
  encryption of one of the L plain-texts.

19
Schemes that the voter uses a computer in the
booth
20
First Fundamental Decision

• You have essentially two paradigms to choose
  from
• Anonymized Ballots.
• Ballotless Tallying.

21
The Mix-Net Paradigm
Chaum, Sako Kilian
22
The Mix-Net Paradigm
23
The Mix-Net Paradigm
Vote
MIX
Vote
Vote
Vote
24
The Mix-Net Paradigm
Vote
MIX
Vote
Vote
Vote
25
The Mix-Net Paradigm
Vote
MIX
MIX
Vote
Vote
Vote
26
The Homomorphic Paradigm
Benaloh, Cramer et al
27
The Homomorphic Paradigm
28
The Homomorphic Paradigm
29
CGS97 (Cramer,Gennaro and Schoenmakers) -
Ballotless Tallying

• Uses robust threshold ElGamal.
• Players
• Authorities a1 as.
• Candidates 1 and 1.
• Voters v1vn.
• Public Board.

30
CGS97 -The Protocol

• Initialization
• All authorities publish
• Their shares.
• A threshold public key S.
• Another generator h of the multiplicative group
• The legal votes will be h-1, h1.
• Voting
• A voter encrypts his vote bi using E(hbi,Sr) and
  publishes it along with a non-interactive proof
  of validity of the vote on a public board.
• Verification
• All voter's non interactive proofs are verified
  (publicly) and invalid votes are deleted.

31

• Tallying
• After elections ends, t authorities calculates
  E(htotal,Srtotal) ?E(hbi ,Sr) and publicly
  decrypt it to get htotal. Now, anyone can find
  Total (using linear time exhaustive search) which
  is the difference between the number of votes for
  each candidate.Those calculation can also be
  verified using non-interactive zero knowledge
  proof of equality of discrete logarithms.
• Using Pailler encryption we can eliminate the
  exhaustive search.

32
CGS97 Scheme Properties
33
So what more do we want?

• A voter is not a computer!
• We want the voter to vote bare-handed. The voter
• Does not bring any electronic device.
• Does not compute cryptographic computations in
  his head.
• Uses only humen abilities.
• We want him to be able to verify the booths
  behaivor - Voter Verifiability.

34
Voter Verifiable Voting Schemes
35
Scratch and Vote (Adida and Rivest 2006)

• Very simple idea.
• Uses threshold Paillier encryption.
• The voter picks two ballots from a big bin.
• The voter scratches off a scratch surface of one
  ballot, and later he can verify its validity.
• The voter marks his selection on the other
  ballot, shreds the candidates list and surrender
  it to the poll-workers.
• The poll-worker shreds the scratch surface.
• The voter feeds the rest into a scanner and takes
  it home as a receipt.

36
Scratch and Vote The Ballot

• The ballot consists of
• Candidates list in a random order (left part).
• A barcode made of encryptions and NIZKP.
• A scratch surface which conceals the randomness
  used for the encryptions.

37
Scratch and Vote Verification and Tallying

• Every voter can check that his vote is published
  correctly.
• Ballots are checked using their NIZKP.
• A threshold decryption of the product of all
  legal casted ballots is executed

38
Scratch and Vote Properties

• Pros.
• Very simple to use.
• Voter verifiable.
• Efficient.
• Cons.
• If it uses an empty ballots bin
• A coercer can steal a valid ballot and coerce
  someone to use it (chain voting).
• If it uses a computer and a printer to create the
  ballots in front of the voter
• The booth can misbehave.
• If it uses a scanner to record the ballots
• The booth knows what the voter voted.
• If it uses another ballots bin to collect the
  ballots
• The voter has no receipt.
• Also, signatures are not handled properly
• Without signatures, the voter can claim anything
  later.
• With signatures, the voter needs a computer
  assistance.
• Shreding
• If we want to print the ballots in front of the
  voter, we must verify the voter shreds the left
  part.
• Random coercion

39
Reynolds Scheme

• Voter enters the booth and receives a blank
  ballot.
• The voter fills two random number inside the
  boxes of the candidates he does not want.
• The booth prints few encryptions (later).
• The voter fills the last number and casts the
  ballot. He also take it as a receipt.

222
40
Reynolds Scheme What are the NIZKP?

• If we use threshold ElGamal, then the NIZKPs
  consist of
• A proof that for each line i
• Di E(di) OR Vi E(h1)
• A proof that for each line i
• Vi E(h0) OR Vi E(h1)
• A proof that
• ?Vi E(h1)
• Where h is another generator of the group

41
Reynolds Scheme Verification and Tallying

• Every voter can check that his vote is published
  correctly.
• Ballots are checked using their NIZKPs.
• A threshold decryption of the product of all
  legal casted ballots lines is executed.

Final tally Yellow 1 Green 2 Blue - 0
743
635
734
157
999
142
222
453
732
42
Some Of The Problems

• Has almost the same problems as SnV with
• Privacy.
• Coercion.
• Robustness.
• Other schemes (Neff, Chaum, Ryan) have similar
  problems.

43
The Main Thing
44
The Projects

• Scratch and Vote
• Encryption threshold Paillier.
• Ref
• Base paper - Ben Adida and Ronald L. Rivest.
  Scratch Vote Voter-Verifiable Paper-Based
  Cryptographic Voting.
• Reynolds scheme
• Encryption threshold ElGamal.
• Ref
• Base presentation - D. J. Reynolds. A method for
  electronic voting with coercion-free receipt. FEE
  05.
• For NIZKP - Ronald Cramer, Rosario Gennaro, and
  Berry Schoenmakers. A secure and optimally
  efficient multi-authority election scheme. In
  EUROCRYPT.
• Also
• Public board.
• Digital signatures.