Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No...
-
date post
21-Dec-2015 -
Category
Documents
-
view
213 -
download
0
Transcript of Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No...
Electronic Voting Schemes and Other stuff
Requirements
• Only eligible voters can vote (once only)• No one can tell how voter voted• Publish who voted (?)• Voter cannot be coerced/bribed to voting some way• Voter cannot prove how she voted.• The final tally is the correct sum• Every voter can verify her vote, or assign other to verify• Everyone can verify total• No disruption• No partial results known
Chaum’s Onion Routing
BA C D E
Pub Pub Pub PubENC (ENC (ENC (ENC ( , ), ), ), )B C D E E D C Bm R R R R
Pub Pub PubENC (ENC (ENC ( , ), ), )C D E E D Cm R R R
Pub PubENC (ENC ( , ), )D E E Dm R R
BRER
Note: messages are same length
DRCR
Voting in Mix Nets
• Voters create ballots
• Every voter encrypts ballot
• t mix servers (one after the other)
• Decryption network: encryption peeled off and order randomized in server
• Reencryption networks: use El-Gamal
El Gamal Encryption
• g a generation of Zp*, p=2q+1• x is the secret key• y = gx is the public key, g is a generator• E(m) = (gr, myr) = (c1,c2), r random, is the
encryption• D(c1,c2) = c2 / c1
x = m• Reencryption: • ReEnc(c1,c2) = (c1gs, c2ys) , s random, is the
reencryption
Need to prove correct reencryption
• c1 = (gt, m1yt)• c2 = (gu, m2yu)• c1[1]/c2[1] = gt-u = gr = w (Define r = t-u, w)• c1[2]/c2[2] = yt-u = (m1/m2)yr = u• Prover/Verifier Protocol• (gs,ys) = (a,b) -> Verifier• Prover <- c • t = s+cr -> Verifier, check that gt = a wc and that yt = b uc
• Verfier needs to be honest here, why? What does verifier learn?
y=gx
Chaum Pederson
• For G, X, H, Y prove that – logG X = log H Y
• Honest Verifier Zero Knowledge Proof of Knowledge
• Example question for exam:– Define HVZK proof of knowledge– Prove that Chaum Pederson protocol is HVZK
proof of knowledge
Honest Verifier ZK (Sigma-Nets)
• x is common input to P, V, w is a witness for x, private to P
• P sends a message A
• V sends a random t-bit string e.
• P sends a reply z
• V decides to accept or reject based on the data he has seen, i.e. x, a, e, z.
Honest Verifier ZK
• For any (a, e, z), (a, e’, z’) where e <> e’, one can efficiently compute a witness w for x
• There exists a polynomial-time simulator M, which on input x and a random e outputs an accepting conversation of the form (a, e, z), with the same probability distribution as conversations between the honest P, V on input x.
• Proofs of Knowledge: resetable P allows simulator to compute witness w.
Homomorphic El Gamal
• c1 = (gt, m1yt)
• c2 = (gu, m2yu)
• c1c1 = (gt+u, m1m2yt+u)
• Encode 1 = no vote
• g = yes vote
Payments
• Untraceable electronic cash– Online– Offline
• Micropayment protocols
• “Real Protocols” – SET, EMC, – EMC is really used, old– SET seems to be dead in the water
Main idea (Chaum): blind signatures
• RSA: m 1/e mod n
• Blind RSA: – Two party protocol:
• Alice sends Bob (re m) mod n
• Bob computes (re m)1/e = r m1/e mod n
• Alice computes m1/e mod n
• Problems: – Alice can get Bob to sign anything, – Bod does not know what he is signing
Online Non-Anonymous Cash
Let’s follow the flow of a $1 bill:• Alice takes the string m = “account number” || “serial
number”, chooses a random r, and sends m re mod n to the bank
• The bank signs this message and sends m1/e r to Alice
• Alice extracts a signature on “account number” || “serial number” (m1/e) , and gives it to the merchant
• The merchant sends this to the bank, that verifies that the bill has not been used previously
Problems
• No anonymity• What is Alice having signed anyway? The
bank does not know.– Imagine that a signature on the string “f(s)”
means one dollar– Alice could prove to the bank that this is the
format of what she is asking for• Could be done via general multiparty computation• Could be done via cut and choose (the rabbit
problem)
Online Anonymous Cash
• Alice chooses a random s, r, sends re (f(s)) to the bank
• The bank debits Alice’s account by $1 and send r (f(s))1/e to Alice
• Alice extracts (f(s))1/e, and gives it and s to the merchant
• The merchant sends this to the bank, that verifies that the bill (s) has not been used previously
Advantages & Problems:
• The bank has given Alice a bill, but does not know what the bill looks like
• The bank cannot later identify Alice with the bill
• The bank must be online at all times to identify bills
• Multiparty computation is entirely inefficient
How to do cut and choose here
• Alice sends the bank many values z1, z2, …, zk
• The bank asks Alice to reveal ½ of the values zi = ri (f(si))• The bank extracts the root of the multiplication of all the
others• The bill is valid if it is of the root of a product of (f(si)) • Remark: in this case, it’s not clear that we need for Alice
to prove anything to the bank, any deviation from protocol for Alice can only harm her
How to do Offline Anonymous Cash?
• If Alice “double spends” – she will be caught and identified
• If Alice does not – her anonymity is guaranteed
• The merchant cannot reuse the money (other than send it to the bank)
Idea: encode Alice’s identity into the money
• Alice generates f(s1), f(s2), … f(sk), t1 || f(t1), f(t2), …, f(tk), such that si xor ti = “Alice”
• Alice sends blinded versions of all of these to the bank• The bank verifies the correctness and sends Alice the root
of the product of the indices not revealed• The merchant asks alice for the signature and for a random
subset of the indices• If Alice double spends, her identity becomes known to the
bank.
El-Gamal Signature Scheme
• Pick a prime p of length 1024 bits such that DL in Zp* is hard.
• Let g be a generator of Zp*.• Pick x in [2,p-2] at random.• Compute y=gx mod p. • Public key: p,g,y.• Private key: x.
Generation
El-Gamal Signature Scheme
• Hash: Let m=H(M). • Pick k in [1,p-2] relatively prime to p-1 at random.• Compute r=gk mod p. • Compute s=(m-rx)k-1 mod (p-1) (***)• Output r and s.
Signing M
El-Gamal Signature Scheme
• Compute m=H(M).• Accept if 0<r<p and yrrs=gm mod p. else reject.• What’s going on?By (***) s=(m-rx)k-1 mod p-1, so sk+rx=m.
Now r=gk so rs=gks, and y=gx so yr=grx, implying yrrs=gm .
Verify M,r,s,PK
The Digital Signature Algorithm (DSA)
• Let p be an L bit prime such that the discrete log problem mod p is intractable
• Let q be a 160 bit prime that divides p-1
• Let α be a q’th root of 1 modulo p.
How do we compute α?
The Digital Signature Algorithm (DSA)
• p – prime, q – prime, p-1 = 0 mod q, α = 1(1/q) mod p
• Private key: random 1 ≤ s ≤ q-1.
• Public key: (p, q, α, β = αs mod p)
• Signature on message M:– Choose a random 1 ≤ k ≤ p-1, secret!!
• Part II: (SHA (M) + s (PART I)) / k mod q
• Part I: ((αk mod p) mod q
The Digital Signature Algorithm (DSA)
– p – prime, q – prime, p-1 = 0 mod q, α = 1(1/q) mod p, Private key: random 1 ≤ s ≤ q-1. Public key: (p, q, α, β = αs mod p). Signature on message M:
• Choose a random 1 ≤ k ≤ p-1, secret!!– Part I: ((αk mod p) mod q
– Part II: (SHA (M) + s (PART I)) /k mod q
• Verification: – e1 = SHA (M) / (PART II) mod q
– e2 = (PART I) / (PART II) mod q
– OK if1 2( mod ) mod (PART I)e e p q
The Digital Signature Algorithm
1
22
( ) / ( ) ( mod )mod / mod
( mod )mod / ( ) ( mod )mod / mod
k
k k
SHA M SHA M s p q k qe
e p q SHA M s p q k qe s s
Testing Primitive Elements mod p
Let p be a prime number so that the primefactorization of p-1 is known: p-1 = q1
e1 q2e2 … qk
ek (q1, q2,…, qk primes).
Theorem: gZp is a primitive element in Zp iff
g(p-1)/q1 , g(p-1)/q2, … , g(p-1)/qk are all 1 mod pAlgorithm: Efficiently compute all k powers.Caveat: Requires factorization of p-1.
Proof
• If g is a primitive mod p then gi mod p ≠ 1 for all 1 ≤ i ≤ p-2
• If g is not a primitive element mod p, let d be the order of g. d divides p-1, let q be a prime divisor of (p-1)/d, then
• gd = 1 mod p, d divides (p-1)/q, and so g(p-1)/q =1 mod p.