Electronic%20Voting%20Schemes%20and%20Other%20stuff

1
Electronic Voting Schemes and Other stuff
2
Requirements

• Only eligible voters can vote (once only)
• No one can tell how voter voted
• Publish who voted (?)
• Voter cannot be coerced/bribed to voting some way
• Voter cannot prove how she voted.
• The final tally is the correct sum
• Every voter can verify her vote, or assign other
  to verify
• Everyone can verify total
• No disruption
• No partial results known

3
Chaums Onion Routing
Note messages are same length
4
Voting in Mix Nets

• Voters create ballots
• Every voter encrypts ballot
• t mix servers (one after the other)
• Decryption network encryption peeled off and
  order randomized in server
• Reencryption networks use El-Gamal

5
El Gamal Encryption

• g a generation of Zp, p2q1
• x is the secret key
• y gx is the public key, g is a generator
• E(m) (gr, myr) (c1,c2), r random, is the
  encryption
• D(c1,c2) c2 / c1x m
• Reencryption
• ReEnc(c1,c2) (c1gs, c2ys) , s random, is the
  reencryption

6
Need to prove correct reencryption
ygx

• c1 (gt, m1yt)
• c2 (gu, m2yu)
• c11/c21 gt-u gr w (Define r t-u, w)
• c12/c22 yt-u (m1/m2)yr u
• Prover/Verifier Protocol
• (gs,ys) (a,b) -gt Verifier
• Prover lt- c
• t scr -gt Verifier, check that gt a wc and
  that yt b uc
• Verfier needs to be honest here, why? What does
  verifier learn?

7
Chaum Pederson

• For G, X, H, Y prove that
• logG X log H Y
• Honest Verifier Zero Knowledge Proof of Knowledge
• Example question for exam
• Define HVZK proof of knowledge
• Prove that Chaum Pederson protocol is HVZK proof
  of knowledge

8
Honest Verifier ZK (Sigma-Nets)

• x is common input to P, V, w is a witness for x,
  private to P
• P sends a message A
• V sends a random t-bit string e.
• P sends a reply z
• V decides to accept or reject based on the data
  he has seen, i.e. x, a, e, z.

9
Honest Verifier ZK

• For any (a, e, z), (a, e, z) where e ltgt e, one
  can efficiently compute a witness w for x
• There exists a polynomial-time simulator M, which
  on input x and a random e outputs an accepting
  conversation of the form (a, e, z), with the same
  probability distribution as conversations between
  the honest P, V on input x.
• Proofs of Knowledge resetable P allows simulator
  to compute witness w.

10
Homomorphic El Gamal

• c1 (gt, m1yt)
• c2 (gu, m2yu)
• c1c1 (gtu, m1m2ytu)
• Encode 1 no vote
• g yes vote

11
Payments

• Untraceable electronic cash
• Online
• Offline
• Micropayment protocols
• Real Protocols SET, EMC,
• EMC is really used, old
• SET seems to be dead in the water

12
Main idea (Chaum) blind signatures

• RSA m 1/e mod n
• Blind RSA
• Two party protocol
• Alice sends Bob (re m) mod n
• Bob computes (re m)1/e r m1/e mod n
• Alice computes m1/e mod n
• Problems
• Alice can get Bob to sign anything,
• Bod does not know what he is signing

13
Online Non-Anonymous Cash

• Lets follow the flow of a 1 bill
• Alice takes the string m account number
  serial number, chooses a random r, and sends m
  re mod n to the bank
• The bank signs this message and sends m1/e r to
  Alice
• Alice extracts a signature on account number
  serial number (m1/e) , and gives it to the
  merchant
• The merchant sends this to the bank, that
  verifies that the bill has not been used
  previously

14
Problems

• No anonymity
• What is Alice having signed anyway? The bank does
  not know.
• Imagine that a signature on the string f(s)
  means one dollar
• Alice could prove to the bank that this is the
  format of what she is asking for
• Could be done via general multiparty computation
• Could be done via cut and choose (the rabbit
  problem)

15
Online Anonymous Cash

• Alice chooses a random s, r, sends re
  (f(s)) to the bank
• The bank debits Alices account by 1 and send r
  (f(s))1/e to Alice
• Alice extracts (f(s))1/e, and gives it and s to
  the merchant
• The merchant sends this to the bank, that
  verifies that the bill (s) has not been used
  previously

16
Advantages Problems

• The bank has given Alice a bill, but does not
  know what the bill looks like
• The bank cannot later identify Alice with the
  bill
• The bank must be online at all times to identify
  bills
• Multiparty computation is entirely inefficient

17
How to do cut and choose here

• Alice sends the bank many values z1, z2, , zk
• The bank asks Alice to reveal ½ of the values zi
  ri (f(si))
• The bank extracts the root of the multiplication
  of all the others
• The bill is valid if it is of the root of a
  product of (f(si))
• Remark in this case, its not clear that we need
  for Alice to prove anything to the bank, any
  deviation from protocol for Alice can only harm
  her

18
How to do Offline Anonymous Cash?

• If Alice double spends she will be caught and
  identified
• If Alice does not her anonymity is guaranteed
• The merchant cannot reuse the money (other than
  send it to the bank)

19
Idea encode Alices identity into the money

• Alice generates f(s1), f(s2), f(sk), t1
  f(t1), f(t2), , f(tk), such that si xor ti
  Alice
• Alice sends blinded versions of all of these to
  the bank
• The bank verifies the correctness and sends Alice
  the root of the product of the indices not
  revealed
• The merchant asks alice for the signature and for
  a random subset of the indices
• If Alice double spends, her identity becomes
  known to the bank.

20
El-Gamal Signature Scheme
Generation

• Pick a prime p of length 1024 bits such that DL
  in Zp is hard.
• Let g be a generator of Zp.
• Pick x in 2,p-2 at random.
• Compute ygx mod p.
• Public key p,g,y.
• Private key x.

21
El-Gamal Signature Scheme
Signing M

• Hash Let mH(M).
• Pick k in 1,p-2 relatively prime to
• p-1 at random.
• Compute rgk mod p.
• Compute s(m-rx)k-1 mod (p-1) ()
• Output r and s.

22
El-Gamal Signature Scheme
Verify M,r,s,PK

• Compute mH(M).
• Accept if 0ltrltp and yrrsgm mod p.
• else reject.
• Whats going on?
• By () s(m-rx)k-1 mod p-1, so skrxm. Now
  rgk so rsgks, and ygx so yrgrx, implying
  yrrsgm .

23
The Digital Signature Algorithm (DSA)

• Let p be an L bit prime such that the discrete
  log problem mod p is intractable
• Let q be a 160 bit prime that divides p-1
• Let a be a qth root of 1 modulo p.

How do we compute a?
24
The Digital Signature Algorithm (DSA)

• p prime, q prime, p-1 0 mod q, a 1(1/q)
  mod p
• Private key random 1 s q-1.
• Public key (p, q, a, ß as mod p)
• Signature on message M
• Choose a random 1 k p-1, secret!!
• Part II (SHA (M) s (PART I)) / k mod q
• Part I ((ak mod p) mod q

25
The Digital Signature Algorithm (DSA)

• p prime, q prime, p-1 0 mod q, a 1(1/q)
  mod p, Private key random 1 s q-1. Public
  key (p, q, a, ß as mod p). Signature on
  message M
• Choose a random 1 k p-1, secret!!
• Part I ((ak mod p) mod q
• Part II (SHA (M) s (PART I)) /k mod q
• Verification
• e1 SHA (M) / (PART II) mod q
• e2 (PART I) / (PART II) mod q
• OK if

26
The Digital Signature Algorithm
27
Testing Primitive Elements mod p

• Let p be a prime number so that the prime
• factorization of p-1 is known
• p-1 q1e1 q2e2 qkek (q1, q2,, qk
  primes).
• Theorem g?Zp is a primitive element in Zp iff
• g(p-1)/q1 , g(p-1)/q2, , g(p-1)/qk are all
  ? 1 mod p
• Algorithm Efficiently compute all k powers.
• Caveat Requires factorization of p-1.

28
Proof

• If g is a primitive mod p then gi mod p ? 1 for
  all 1 i p-2
• If g is not a primitive element mod p, let d be
  the order of g. d divides p-1, let q be a prime
  divisor of (p-1)/d, then
• gd 1 mod p, d divides (p-1)/q, and so g(p-1)/q
  1 mod p.