Recipt-free Voting Through Distributed Blinding
description
Transcript of Recipt-free Voting Through Distributed Blinding
![Page 1: Recipt-free Voting Through Distributed Blinding](https://reader034.fdocuments.in/reader034/viewer/2022051018/56814903550346895db639c4/html5/thumbnails/1.jpg)
Recipt-free Voting Through Distributed Blinding
Joint work with Markus Jakobsson
Ari JuelsRSA Laboratories
![Page 2: Recipt-free Voting Through Distributed Blinding](https://reader034.fdocuments.in/reader034/viewer/2022051018/56814903550346895db639c4/html5/thumbnails/2.jpg)
Coercion-free Voting Through Distributed Blinding
Joint work with Markus Jakobsson
Ari JuelsRSA Laboratories
![Page 3: Recipt-free Voting Through Distributed Blinding](https://reader034.fdocuments.in/reader034/viewer/2022051018/56814903550346895db639c4/html5/thumbnails/3.jpg)
Why do we want coercion-free voting?
Blackmail with a long arm Vote buying
– Anonymous peer-to-peer networks
– Vote-buying schemes (e.g., vote-auction.com; http://62.116.31.68/)
Home voting– Shoulder surfing– Proximate coercion
Receipt-freeness
required
Coercion-freeness
required
![Page 4: Recipt-free Voting Through Distributed Blinding](https://reader034.fdocuments.in/reader034/viewer/2022051018/56814903550346895db639c4/html5/thumbnails/4.jpg)
Attack model Attacker cannot interfere with registration process (otherwise can simulate
voter) Attacker can provide keying or other material to voter prior to vote (even entire
ballot) Two possibilities during vote:
– Assume no attacker presence at time of vote (countermeasure: receipt-freeness)
– Assume attacker sometimes present (countermeasure: coercion-freeness) Attacker has access to all public information, i.e., encrypted and decrypted
ballots
![Page 5: Recipt-free Voting Through Distributed Blinding](https://reader034.fdocuments.in/reader034/viewer/2022051018/56814903550346895db639c4/html5/thumbnails/5.jpg)
Cast of characters
Voting authority
Attacker
Voter (Alice)
I LikeIke
![Page 6: Recipt-free Voting Through Distributed Blinding](https://reader034.fdocuments.in/reader034/viewer/2022051018/56814903550346895db639c4/html5/thumbnails/6.jpg)
Some visual notation
Ciphertext
Mix network (publicly verifiable)
![Page 7: Recipt-free Voting Through Distributed Blinding](https://reader034.fdocuments.in/reader034/viewer/2022051018/56814903550346895db639c4/html5/thumbnails/7.jpg)
Hirt-Sako approach
IDEA: Voter commits publicly to vote, but ballot preparation is secret
TOOLS (scheme-specific):
– Designated verifier proofs DV Proof
– Untappable channels
![Page 8: Recipt-free Voting Through Distributed Blinding](https://reader034.fdocuments.in/reader034/viewer/2022051018/56814903550346895db639c4/html5/thumbnails/8.jpg)
Ballot blinding
Authority 1 Authority 2
Bore
Gush
Nadir
P1 P2
blinded
ballot:
P = P1 P2
![Page 9: Recipt-free Voting Through Distributed Blinding](https://reader034.fdocuments.in/reader034/viewer/2022051018/56814903550346895db639c4/html5/thumbnails/9.jpg)
Voting
Authority 1 Authority 2
DV Proof
of P1
DV Proof
of P2
P = P1 P2
![Page 10: Recipt-free Voting Through Distributed Blinding](https://reader034.fdocuments.in/reader034/viewer/2022051018/56814903550346895db639c4/html5/thumbnails/10.jpg)
Voting
= 1 2
Bore
Gush
Nadir
=
Alice’s
vote
Bore
![Page 11: Recipt-free Voting Through Distributed Blinding](https://reader034.fdocuments.in/reader034/viewer/2022051018/56814903550346895db639c4/html5/thumbnails/11.jpg)
Drawbacks
Cost per ballot is linear in number of candidates
Requires untappable channels for vote Not fully coercion resistant, e.g., not
resistant to shoulder surfing Not resistant to collusion between
adversary and authorities Subject to “randomization” attack
![Page 12: Recipt-free Voting Through Distributed Blinding](https://reader034.fdocuments.in/reader034/viewer/2022051018/56814903550346895db639c4/html5/thumbnails/12.jpg)
Randomization attack
Random
choice
Gush
Now Alice is unlikely to select her intended choice, Bore
![Page 13: Recipt-free Voting Through Distributed Blinding](https://reader034.fdocuments.in/reader034/viewer/2022051018/56814903550346895db639c4/html5/thumbnails/13.jpg)
“Proof” that collusion resistance is not possible with public verifiability
We must identify voter in order to have public verifiability
If attacker controls an authority, he can do “spot checking”
In order not to risk “spot checking”, voter must reveal all communication
Thus, untappable channels are breached and all transcripts are revealed
![Page 14: Recipt-free Voting Through Distributed Blinding](https://reader034.fdocuments.in/reader034/viewer/2022051018/56814903550346895db639c4/html5/thumbnails/14.jpg)
Our scheme represents a counterexample to this “proof”...
(and more?)
![Page 15: Recipt-free Voting Through Distributed Blinding](https://reader034.fdocuments.in/reader034/viewer/2022051018/56814903550346895db639c4/html5/thumbnails/15.jpg)
New tool for our scheme
Anonymous credential = Voting key– Essentially a group signature key
– Carries hidden, identifying tag, called tagi
– Special enhancement: Also includes validator vali = B(tagi), where B is threshold blinding function
tagi vali
![Page 16: Recipt-free Voting Through Distributed Blinding](https://reader034.fdocuments.in/reader034/viewer/2022051018/56814903550346895db639c4/html5/thumbnails/16.jpg)
Some notation
Let B’() denote another, independent threshold blinding function Let E[m] denote El Gamal ciphertext on m:
– Private key held distributively– Authorities can jointly decrypt ciphertext– B(E[m]) = E[B(m)] (due to El Gamal homomorphism
![Page 17: Recipt-free Voting Through Distributed Blinding](https://reader034.fdocuments.in/reader034/viewer/2022051018/56814903550346895db639c4/html5/thumbnails/17.jpg)
Our new scheme
Core ideas:– Voter employs anonymous credential– We don’t know who voted (at time of
voting) or what was voted– Validator required for vote to count– Adversary cannot tell whether or not
validator is correct Attacker cannot tell whether a vote is valid or
not
![Page 18: Recipt-free Voting Through Distributed Blinding](https://reader034.fdocuments.in/reader034/viewer/2022051018/56814903550346895db639c4/html5/thumbnails/18.jpg)
Anatomy of a ballot
tagi vali
tagi vali votei
proofi
NIZK proof that
tagi ciphertext is
valid for credential
Anonymous credential
signature
validator = B(tagi)
![Page 19: Recipt-free Voting Through Distributed Blinding](https://reader034.fdocuments.in/reader034/viewer/2022051018/56814903550346895db639c4/html5/thumbnails/19.jpg)
tag3 val3 vote3
proof3
Tallying BallotsStep 1: Check group signatures and proofs
Authority 1 Authority 2
...
?
?
?
?
tag1 val1 vote1
proof1
tag2 val2 vote2
proof2
tagn valn voten
proofn
![Page 20: Recipt-free Voting Through Distributed Blinding](https://reader034.fdocuments.in/reader034/viewer/2022051018/56814903550346895db639c4/html5/thumbnails/20.jpg)
Tallying BallotsStep 2: Mixing ballots
Authority 1 Authority 2
...
tag1 val1 vote1
tag2 val2 vote2
tagn’ valn’ voten’
re-encryption tag1 val1 vote1
tag2 val2 vote2
tagn’ valn’ voten’
...
![Page 21: Recipt-free Voting Through Distributed Blinding](https://reader034.fdocuments.in/reader034/viewer/2022051018/56814903550346895db639c4/html5/thumbnails/21.jpg)
Tallying BallotsStep 3: Joint blinding and decryption of validators
Authority 1 Authority 2
tag1 val1 vote1
tag2 val2 vote2
tagn’ valn’ voten’
......
tag1 vote1
tag2vote2
tagn’voten’
B’(val1)
B’(val2)
B’(valn’)
...
![Page 22: Recipt-free Voting Through Distributed Blinding](https://reader034.fdocuments.in/reader034/viewer/2022051018/56814903550346895db639c4/html5/thumbnails/22.jpg)
Tallying BallotsStep 4: Elimination of duplicates by validator
Authority 1 Authority 2
equal validators ...
tag1 vote1
tag2vote2
tagn’voten’
B’(val1)
B’(val2)
B’(valn’)
tag3vote3
B’(val3)
![Page 23: Recipt-free Voting Through Distributed Blinding](https://reader034.fdocuments.in/reader034/viewer/2022051018/56814903550346895db639c4/html5/thumbnails/23.jpg)
Tallying BallotsStep 5: Verification of validators
Authority 1 Authority 2
•Authorities compute B’(B(E[tagi])) = E[B’(B(tagi))] and jointly decrypt
•If result is B’(vali), then validator is correct
•Otherwise ballot is invalid and is thus removed
tagi voteiB’(vali)
E[tag2] If correct, B’(vali) = B’(B(tagi))
![Page 24: Recipt-free Voting Through Distributed Blinding](https://reader034.fdocuments.in/reader034/viewer/2022051018/56814903550346895db639c4/html5/thumbnails/24.jpg)
Tallying BallotsStep 6: Joint decryption of valid votes
Authority 1 Authority 2
Gush=
Bore
Bore
vote1
vote2
vote3
![Page 25: Recipt-free Voting Through Distributed Blinding](https://reader034.fdocuments.in/reader034/viewer/2022051018/56814903550346895db639c4/html5/thumbnails/25.jpg)
Coersion is eliminated Key idea: Attacker cannot tell a false
validator from a real one– If attacker demands voting key, voter can provide
false validator– If attacker demands that voter cast a certain type
of vote, and demands pointer(s) Voter can vote as demanded using false validator Voter can re-vote using correct validator
– This holds even if attacker colludes with a minority of authorities
Well, there’s
always Florida
![Page 26: Recipt-free Voting Through Distributed Blinding](https://reader034.fdocuments.in/reader034/viewer/2022051018/56814903550346895db639c4/html5/thumbnails/26.jpg)
Features of scheme
Overhead on top of mixing process is minimal, thus the scheme is quite practical– Cost is effectively independent of number of
candidates
No need for untappable channels during vote– We need some access to anonymous channels
Resistant to “randomization” attacks Resistant to collusion with authorities Potential resistance to shoulder-surfing attack
![Page 27: Recipt-free Voting Through Distributed Blinding](https://reader034.fdocuments.in/reader034/viewer/2022051018/56814903550346895db639c4/html5/thumbnails/27.jpg)
Additions Votes can be countersigned by polling station,
indicating priority If registrar publishes voting roll with blinded
validators, we can verify publicly that all participants are on roll – Requires an additional mixing step
Validator may be constructed in threshold manner, distributed with proofs and re-encrypted by registrar
Careful modeling required and largely unaddressed
![Page 28: Recipt-free Voting Through Distributed Blinding](https://reader034.fdocuments.in/reader034/viewer/2022051018/56814903550346895db639c4/html5/thumbnails/28.jpg)
Questions?
![Page 29: Recipt-free Voting Through Distributed Blinding](https://reader034.fdocuments.in/reader034/viewer/2022051018/56814903550346895db639c4/html5/thumbnails/29.jpg)
Appendix: Improvement to Hirt-Sako
![Page 30: Recipt-free Voting Through Distributed Blinding](https://reader034.fdocuments.in/reader034/viewer/2022051018/56814903550346895db639c4/html5/thumbnails/30.jpg)
Vote = V1V2
V1V2
Idea: Secret sharing of vote
Authority 1 Authority 2
V1 V2
![Page 31: Recipt-free Voting Through Distributed Blinding](https://reader034.fdocuments.in/reader034/viewer/2022051018/56814903550346895db639c4/html5/thumbnails/31.jpg)
Authority 1 Authority 2
Vote = V1V2
V1 V2
ZK-DV Proof of
correct encryption
ZK-DV Proof of
correct encryption
Idea: Secret sharing of vote
![Page 32: Recipt-free Voting Through Distributed Blinding](https://reader034.fdocuments.in/reader034/viewer/2022051018/56814903550346895db639c4/html5/thumbnails/32.jpg)
And then…
Vote V1 V2= x
![Page 33: Recipt-free Voting Through Distributed Blinding](https://reader034.fdocuments.in/reader034/viewer/2022051018/56814903550346895db639c4/html5/thumbnails/33.jpg)
Remarks
No randomization attack possible Cost is (1) per vote By letting Vi = -1 or 1, we can check
validity