Electronic Voting
Presented by Ben Riva
Based on presentations and papers of: Schoenmakers,
Benaloh, Fiat, Adida, Reynolds, Ryan and Chaum
Agenda






Why now-days paper based elections are not
enough?
What properties any voting scheme must achieve
and why it is so hard?
Few cryptography primitives in a nutshell.
Schemes that the voter uses a computer in the booth.
Why it is not enough? The concept of voterverifiability.
Voter Verifiable voting schemes
– Scratch and Vote.
– Rynolds’ scheme.

What next?
Paper Based Elections

Flexible
 Simple to
understand
 Simple to
perform
 Transparent
But, a famous man once
said - "Those who cast the votes decide nothing.
Those who count the votes decide everything."
Why Paper Based Elections
Are Not Enough?
Votes can be
easily altered.
 Votes can easily
be defected.
 Weak privacy.
 Re-counts
means almost
nothing.

What Do We Want?






Unforgeability: No one can falsify the result of the voting.
Eligibility, Unreusability: Respectively requires that only
eligible voters vote and no voter can vote twice.
Auditability, Universal auditability: The first describes the
ability of any individual voter to determine whether or not his
vote has been correctly placed. The second corresponds to the
ability of any auditor to determine that the whole protocol was
followed correctly, given that votes had been correctly placed.
Robustness: Dishonest participants can not disrupt the voting.
In particular cheating players should be detected and it should
be possible to prove their malicious behavior and finish the
voting process and the counting without their help.
Privacy: No one can link a voter with his vote.
Coercion resistance (also called receipt freeness): A voter can
not prove how he voted. This is essential for avoiding vote
selling.
Why Is It Hard?
Good privacy and universal verifiability
at the same time …
 Coercion resistance and unforgability…

Few Cryptography Primitives
in a Nutshell
One-Way Functions

A function f: DR is called one-way if:
– Computing f(x) is “easy”.
– Computing f-1(y) for almost all the images
is “hard”.

E.g. (under the DL assumption)
– Prime p and a generator g of Zp*.
– f(x) = gx (mod p).
RSA Cryptosystem

Famous Public Key cryptosystem
– A key generation algorithm
•
•
•
•
•
Let N=pq be the product of two primes
Choose e such that gcd(e,(N))=1
Let d be such that de1 mod (N)
The public key is (N,e)
The private key is d
– An encryption algorithm
• Encryption of MZN* by C=E(M)=Me mod N
– A Decryption algorithm
• Decryption of CZN* by M=D(C)=Cd mod N
El Gamal Cryptosystem

Probabilistic, homomorphic public-key
encryption scheme over a multiplicative group
of prime order.
 A key generation algorithm
Publicly choose two large primes q` and q
such that q | q`-1 , i.e., q` = qk+1 for some
integer k. We also fix a generator g` of F*q`.
The cyclic group G we work with is the one
generated by g = (g`)k and has order (q`1)/k = q.
Private key x  G . Public key y = gx.

An encryption algorithm
To encrypt m  G we choose uniformly at random r
 [1.. q - 1] and output E(q`, q, g, m, y; r) = (gr, m·
yr).

A Decryption algorithm
To decrypt a tuple (a,b) we compute m = ba-x.


We abbreviate E(q`, q, g, m, y; r) to E(m, y; r).
ElGamal Encryption is multiplicative homomorphic,
meaning E(m1, y;r1)*E(m2, y;r2) = E(m1m2, y;r1 + r2).
– Re-encryption of E(m,y;r1) is E(m,y;r1)*E(1,y;r2) which
results in E(m,y;r1+r2).
Digital Signatures

We focus on electronic signatures that use
public-key cryptography.
 E.g. (Based on RSA)
– A key generation algorithm
• Same as in RSA encryption.
– A signing algorithm
• Same as decryption of MZN* by C=D(M)=Md mod N.
– A verification algorithm
• Same as encryption of CZN* by M=E(C)=Ce mod N.
• Can be calculated and verified by anyone.

Concept of Blind Signatures …
Secret Sharing

Based on the next problem - assuming
that there are N players, how can a
dealer share a secret in a way that any
group of t (< N) or more players could
recreate the secret, but any group of
less then t players will not be able to do
so. Such scheme is called
(t,N) - threshold secret sharing scheme.
Shamir Secret Sharing
Scheme
The dealer selects t-1 random integers,
which forms a t-1 degree polynomial f(x)
such that f(0) = S.
 The dealer calculates f(i) for each player
i. Those are their private shares.
 Any group of t or more players can
recreate the polynomial and S (using
Lagrange interpolation).

Threshold Encryption

In threshold encryption we have N authorities,
and we want to encrypt a message in a way
that any t or more authorities could decrypt it.
Again, any group of less then t authorities will
not be able to do so.
 No trusted dealer.
 Solutions are similar to Shamir’s scheme
[CGS,Pederson].
Zero-knowledge Proofs
Interactive protocols between two
players, Prover and Verifier, in which the
prover proves to the verifier, with high
probability, that some statement is true.
 Does not leak any information besides
the veracity of this statement.
 In the case of honest verifier ZKP, we
can modify the protocol to noninteractive.

Zero-knowledge Proof
Example

Let g1, g2 generators of Zq*.
 The Prover claims that logg1v = logg2w (=x) for
publicly known v, w, g1, g2.
–
–
–
–

P chooses random z  [1..q] and sends a=g1z, b=g2z.
V selects random c  [1..q] and sends it.
P sends r = (z+cx) .
V verifies that g1r=avc and g2r=bwc
Can be turned into non-interactive
– C = Hash(a,b,v,w).
Useful ZKP

Equality of discrete logarithms:
– The prover knows discrete logarithms of v and w,
and claims they are the same, logg1v = logg2w (for
known g1, g2).

1-out-of-L re-encryption:
– the prover wants to prove that for a publicly known
pair (x, y) there is an ElGamal re-encryption in the
L encrypted pairs (x1, y2 )… (xL, yL ).

1-out-of-L message encryption:
– Given L plain-text messages m1… mL, the prover
wants to prove that a tuple (x, y) is an encryption of
one of the L plain-texts.
Schemes that the voter uses a
computer in the booth
First Fundamental Decision
You have essentially two paradigms to
choose from…
– Anonymized Ballots.
– Ballotless Tallying.
The Mix-Net Paradigm
Chaum, Sako & Kilian…
The Mix-Net Paradigm
The Mix-Net Paradigm
Vote
Vote
MIX
Vote
Vote
The Mix-Net Paradigm
Vote
Vote
MIX
Vote
Vote
The Mix-Net Paradigm
Vote
Vote
MIX
MIX
Vote
Vote
The Homomorphic Paradigm
Benaloh, Cramer et al…
The Homomorphic Paradigm
Tally
The Homomorphic Paradigm
Tally
CGS97 (Cramer,Gennaro and
Schoenmakers) - Ballotless Tallying
Uses robust threshold ElGamal.
 Players:

– Authorities a1 … as.
– Candidates: –1 and 1.
– Voters v1…vn.
– Public Board.
CGS97 The Protocol

Initialization
– All authorities publish
• Their shares.
• A threshold public key S.
• Another generator h of the multiplicative group
– The legal votes will be h-1, h1.


Voting
– A voter encrypts his vote bi using E(hbi,S;r) and publishes it
along with a non-interactive proof of validity of the vote on a
public board.
Verification
– All voter's non interactive proofs are verified (publicly) and
invalid votes are deleted.

Tallying
– After elections ends, t authorities
calculates E(htotal,S;rtotal) = E(hbi ,S;r) and
publicly decrypt it to get htotal. Now, anyone
can find Total (using linear time exhaustive
search) which is the difference between the
number of votes for each candidate.
Those calculation can also be verified
using non-interactive zero knowledge proof
of equality of discrete logarithms.
! Using Pailler encryption we can eliminate
the exhaustive search.
CGS97 Scheme –
Properties
Privacy
As long as there at most t-1
dishonest authorities
Coersion resistance
Easy to coerce
Robustness
As long as there are t
honest authorities
Unforgability
computational
Elgibility,
Unreusability
Auditability
So what more do we want?

A voter is not a computer!
 We want the voter to vote bare-handed. The
voter:
– Does not bring any electronic device.
– Does not compute cryptographic computations in
his head.
– Uses only humen abilities.

We want him to be able to verify the booth’s
behaivor - Voter Verifiability.
Voter Verifiable Voting
Schemes
Scratch and Vote (Adida and Rivest
2006)


Very simple idea.
Uses threshold Paillier encryption.
– The voter picks two ballots from a big bin.
– The voter scratches off a scratch surface of one ballot, and
later he can verify its validity.
– The voter marks his selection on the other ballot, shreds the
candidates list and surrender it to the poll-workers.
– The poll-worker shreds the scratch surface.
– The voter feeds the rest into a scanner and takes it home as
a receipt.
Scratch and Vote –
The Ballot

The ballot consists of
– Candidates list in a random order (left part).
– A barcode made of encryptions and NIZKP.
– A scratch surface which conceals the randomness used for the
encryptions.
Scratch and Vote –
Verification and Tallying
Every voter can check that his vote is
published correctly.
 Ballots are checked using their NIZKP.
 A threshold decryption of the product of
all legal casted ballots is executed …

Scratch and Vote –
Properties

Pros.
–
–
–

Very simple to use.
Voter verifiable.
Efficient.
Cons.
–
If it uses an empty ballots bin
•
–
If it uses a computer and a printer to create the ballots in front of the voter
•
–
Without signatures, the voter can claim anything later.
With signatures, the voter needs a computer assistance.
Shreding
•
–
The voter has no receipt.
Also, signatures are not handled properly
•
•
–
The booth knows what the voter voted.
If it uses another ballots bin to collect the ballots
•
–
The booth can misbehave.
If it uses a scanner to record the ballots
•
–
A coercer can steal a valid ballot and coerce someone to use it (chain voting).
If we want to print the ballots in front of the voter, we must verify the voter shreds the left part.
Random coercion
•
A coercer can coerce the voter to vote randomly.
Reynolds’ Scheme




Voter enters the booth
and receives a blank
ballot.
The voter fills two
random number inside
the boxes of the
candidates he does not
want.
The booth prints few
encryptions (later).
The voter fills the last
number and casts the
ballot. He also take it as
a receipt.
Voter =
Ben Riva
E(di),E(vote?)
yellow
E(157),E(0),NIZKP
157 d1
green
E(536),E(1),NIZKP
222
d2
blue
E(732),E(0),NIZKP
732
d3
Reynolds’ Scheme –
What are the NIZKP?

If we use threshold ElGamal, then the NIZKPs
consist of
– A proof that for each line i
Di = E(di) OR Vi = E(h1)
– A proof that for each line i
Vi = E(h0) OR Vi = E(h1)
– A proof that
Vi = E(h1)
Where h is another generator of the group…
Reynolds’ Scheme –
Verification and Tallying

Every voter can check that his vote is
published correctly.
 Ballots are checked using their NIZKPs.
 A threshold decryption of the product of all
legal casted ballots’ lines is executed.
Final tally
Voter =
Voter =
Voter =
Ben Riva
yellow
E(157),E(0),NIZKP
green
E(536),E(1),NIZKP
blue
E(732),E(0),NIZKP
Yellow – 1
David B
Alon C
d1
yellow
E(112),E(1),NIZKP
635
157
d1
green
E(999),E(0),NIZKP
999
d2
222
d2
blue
E(435),E(0),NIZKP
453
d3
732
d3
yellow
E(743),E(0),NIZKP
743
d1
green
E(111),E(1),NIZKP
734
d2
142
d3
blue
E(142),E(0),NIZKP
Green – 2
Blue - 0
Some Of The Problems

Has almost the same problems as SnV
with
– Privacy.
– Coercion.
– Robustness.

Other schemes (Neff, Chaum, Ryan…)
have similar problems.
The Main Thing…
The Projects

Scratch and Vote
– Encryption – threshold Paillier.
– Ref
• Base paper - Ben Adida and Ronald L. Rivest. Scratch & Vote: VoterVerifiable Paper-Based Cryptographic Voting.

Reynolds’ scheme
– Encryption – threshold ElGamal.
– Ref
• Base presentation - D. J. Reynolds. A method for electronic voting with
coercion-free receipt. FEE 05.
• For NIZKP - Ronald Cramer, Rosario Gennaro, and Berry
Schoenmakers. A secure and optimally efficient multi-authority election
scheme. In EUROCRYPT.

Also
– Public board.
– Digital signatures.