Evoting by ZeroKnowledge

1
E-voting by Zero-Knowledge

• Victor K. Wei
• Dept. of Information Engineering
• Chinese Univ. of Hong Kong
• kwwei_at_ie.cuhk.edu.hk

2
Outline

• E-voting requirements
• E-voting survey
• mixnet, aggregate, blind signature
• E-voting by linkable ring signature (i.e.
  linkable disjunctive zero-knowledge protocol)
• Survey LRS
• Survey e-voting by LRS or cousins
• new results

3
E-voting definition

• Definition STORK report, May 2003, editor
  Phong Q. Nguyen An electronic voting scheme is a
  set of protocols which allows voters to cast
  ballots while a group of authorities collects the
  votes and outputs the final tally.

4
Cryptograhic E-Voting survey

• State-of-the-art STORK03, Moran-Naor06,
• Mixnet
• Homomorphic encryption/aggregate
• Blind signature
• Linkable ring signature (linkable disjunctive
  zero-knwoledge protocol)
• This talks main purpose most surveys 3, should
  4

5
E-voting paper crypto

• DRE (Direct Recoding Engine) Tal Moran, Naor
• Paper-based, Chaum punchscan.org, Adida,
  Rivest benlog.com
• Felten cracks Diebold

6
Crptographic E-voting requirements STORK

• Eligibility
• Privacy/anonymity
• Individual/universal/end-to-end verifiability
• Robustness
• Receipt-free ? incoercible
• Fairness
• Sampigethaya etal 05 scalable, practical, ,
  surveys 27 papers

7
Sampigethaya etal 05
8
Sampigethaya etal 05
9
E-voting mix aggregate

• Setup system parameters
• Voter prepares ballot and encrypt it
• Voter posts to BBS (ID.ptxt, ballot.ctxt)
• Anonymize aggregate
• By multiple servers, usu tandem
• Post verifiable intermediate results
  (incoersion)
• Tally (w/ proof)
• Incoersion by CZK Acquisti 03, Juels etal 02 05

10
Mixnet from Kiayias-Yung 04
11
Mixnet

• V authenticates and posts (ID.ptxt, ballot.ctxt)
• Double vote, , defended. Univ verif, write-in
  OK
• Servers mix
• Each server must prove compliance (e.g. not
  add/remove ballots)
• High complexity

12
Homomorphic encryption
13
Homomorphic encryption

• V authenticates to vote
• Needs decryption server (or group of servers) do
  not decrypt the send-ins
• Privacy, no double vote, efficient tally, univ
  verif
• No write-ins

14
Blind signature
15
Blind signature

• Voting SPK (signature proof-of-knowledge) of a
  (blind) signature w.r.t. candidate
• Special blind_sig SPK SPK twice reveals
  identity
• Needs untraceable send-in channel
• Privacy, fair, write-ins, efficient tally
• No univ verif. Has individual verif.

16
E-vote by blind signature

• Registration V gets a blind sig from Authority
• Vote V gives SPK of having blind sig wrt cand.
• Tally
• SPK is such vote twice ? reveal secret (e.g. ID)

17
E-vote by LRS

• Register V posts P.K. alt. Register for a cert
• Vote V sends LRS via untraceable channel
• Tally easy
• Double vote detectable
• Privacy, write-ins, fast tally
• X univ. verif. (political solution exists)
  Untraceable send-in channel incoersion

18
Comparison Kiayias-Yung 04

• Mix X tally is high complexity
• Homomorphic enc X-write-in
• Blind sig X-universal verifiability
• LRS X-universal verifiability, w/ excuse

19
Group of servers

• Mix If all servers collude in future breaks
  anonymity
• Cf. Moran-Naor crypto06 receipt-free
  universally-verifiable voting with everlasting
  privacy
• LRS If all servers collude in the future
  forge more votes.

20
Universal verifiability

• Voter can complain of non-inclusion of ballot.
  Then observer can verify election.
• Mix aggregate complain easy and remedy
• LRS no easy complain procedure w/o lose privacy
• Political solution

21
Receipt-freeness/incoersion

• All past construct need hw/TTP assumption
• Acquisti03 homomorphic enc CZK
• Juels-Jakobsson0205 blind sig CZK

22
LRS e-vote univ. verif.

• Ballot (known candidate, hidden voter)
• Mix/aggregate (known voter, hidden candidate)
• Complain un-entered ballot
• Multiply vote same cand. OK
• Ensure unstoppable BBS for posting ballot
• Unauthenticated BBS defend DoS by query serial
• Cf mix/aggregate 1) authenticated BBS (2) if
  un-entered, repeat authenpost

23
LRS e-vote incoersion

• Use CZK
• Unauthenticated channel (a kind of untraceable
  channel, formally defined for CZK)

24
LRS model syntax

• Setup
• Register be listed as a voter for this round
• Sign produce signature and post
• Verify
• Tally
• Link/accuse link an LRS to other LRSs
• Vindicate

25
LRS model security notions

• Anonymity LRS cannot be traced to voter
• correlationally anon. multi-round votes cannot
  be traced to the same anonymous voter
• Unforgeability Colluding voters cannot produce a
  signature not linked to any of them
• Non-slanderability colluding voters plus
  authorities cannot produce a signature linked to
  a victim voter and not vindicable

26
LRS related work

• Nakanishi, etal, 97 99 Linkable group signature
  and its application to secret voting
• Teranishi etal Asiacrypt 04 k-time anonymous
  authentication
• Damgard etal Eurocrypt 06 unclonable group
  identification

27
Past LRS for e-voting

• Liu, Wei, Wong, ACISP04
• Not scalable, O(N) size
• Tsang, Wei, ISPEC05
• O(1) generic construct OK X-concrete construct
• Au, etal, ISPEC07
• Anon. but not correlationally anon.
• My modification of Kiayias-Yungs group sig, and
  Au etal 07

28
E-voting by LRS

• Wei preprint07
• O(1), yet unbroken,
• Extend to universal verif political solution
• Extend to incoersion needs
• unauthenticated channel for 4 rounds

29
E-voting by LRS, i.e. linkable disjunctive ZKP
modify DKNS04, Tsang-Wei05

• Setup CA sk-pk is (x,gx), pairings G_1 x G_1 ?
  G_T, fair bases g,h in G_1, u in G_3.
• Register voter i authenticates and gets cert
  (e_i, A_i(ghy_i)1/(xe_i)),
• usk-upk(y_i,gy_i)
• Vote SPK(A,e,y) Axeghy Suy
• Tally easy
• Link same S results in Linking

30
Extend to end-to-end verification

• Ballot shows candidate, not voter
• Political consequence
• Optionally encrypt LRS to multiple authorities
• Mix/aggregate ballot shows voter, not candidate
• Double voting to same candidate OK
• Assume user has unstoppable posting of ballot/LRS
  
• In network congestion, voter multiply posts
• Since ballot shows candidate, that candidates
  site likes to accept the ballot Also invites
  DoS attack and other issues

31
Extend to incoersion

• Core technique CZK (Concurrent ZK), deniable
  authentication Just like Juels etal0205,
  Acquisti03
• CZK Requires unauthentication channel
• No timestamp or other time sequence info
• Eavesdrop OK not hurt anonymity,

32
CZK 4-move easy, 3-move Dwork, Naor, Sahai
hard

• Example Any 3-move proof (com, chal, res),
  e.g.Schnorr authen/iden
• Prover x ygx
• Move-0 V gen cha, send Hash(cha)
• Move-1 P sends com
• Move-2 V sends cha
• Move-3 P checks move-0Hash(move-2), sends res
• Finally V checks and output 0/1
• Note P can simulate 2?3?1?0, so V can deny authen
  (deniable authen)

33
Extend RLS e-vote to incoersion

• Each ballot bout Autheority post new u
• Each voter posts Suy
• Vote instead of LRS, do CZK
• CZK transcript is posted, and eventually tallyed
• Some clash with verification, maybe repairable

34
conclusion

• State-of-the-art STORK03, Moran-Naor06,
• Mixnet
• Homomorphic encryption/aggregate
• Blind signature
• Linkable ring signature (linkable disjunctive
  zero-knwoledge protocol)
• This talks main purpose most surveys 3, should
  4