Towards Practical Coercion-Resistant Electronic Elections Jacques Traoré France Télécom / Orange Labs SecVote 2010 Bertinoro - Italy Saturday 4 September 2010 research & development Outline 1. Introduction 2. JCJ scheme – a review 3. Improving JCJ: 4. Client/Server trade-offs in universally verifiable elections 5. Conclusion 2 Orange Labs - Research & Development 1 Introduction 3 Orange Labs - Research & Development Electronic Voting Methods • Supervised voting (off-line voting) • Remote Electronic Voting (on-line voting) 4 Orange Labs - Research & Development Some desired properties of e-voting systems Eligibility: only legitimate voters can vote, and only once Universal verifiability: All voters can verify that the final tally is correct The votes they cast are included Only authorized votes are counted No votes are changed during tallying Privacy: no adversary can learn any more about votes than is revealed by the final tally (Perfect) Anonymity: hide map from voter to vote Receipt-freeness: prohibit proof of vote Coercion-resistance: adaptative Stronger Voters cannot prove whether or how they voted, even if they can interact with the adversary while voting. 5 Orange Labs - Research & Development Incompatible Properties Under usual assumptions we cannot achieve*: Universal Verifiability and Perfect Anonymity simultaneously, unless all registered voters actually vote Universal Verifiability and Receipt-Freeness unless private channels are available between the voters and/or the voting authorities) * On Some Incompatible Properties of Voting Schemes, Benoît Chevallier-Mames, Pierre-Alain Fouque, David Pointcheval, Julien Stern, Jacques Traoré, Workshop On Trustworthy Elections 2006. 6 Orange Labs - Research & Development 2 7 JCJ – a brief review Orange Labs - Research & Development JCJ scheme* – a review Basic ingredients: Voter employs anonymous credential obtained during the registration phase Valid credentials are required for vote to count Voter can make "fake credentials" and vote multiple times We don’t know who voted (at time of voting) or what was voted A coercer cannot tell whether a credential is correct or not • Attacker cannot tell whether a vote is valid or not Basic idea: To mislead a coercer, the voter sends invalid ballot(s) as long as he is coerced, and a valid ballot as soon as he is not coerced It suffices that the voter finds a window-time during which he is not coerced * Juels-Catalano-Jakobsson - WPES 2005 8 Orange Labs - Research & Development Security model Registration: Before voting: Attacker can provide keying or other material to voter (even entire ballot) During vote: Attacker cannot interfere with registration process Votes may be posted anonymously (for strongest security) or semi-anonymously (for weaker guarantees) Bulletin board is universally accessible At all times: Attacker has access to all public information, i.e., encrypted and decrypted ballots Assumption. Voters trust their voting client. 9 Orange Labs - Research & Development Basic Tools Building Blocks El Gamal cryptosystem: G a group of prime order p, g a generator of G 10 El Gamal cryptosystem (They need in fact a variant of El Gamal for their security proof: Jarecki and Lysyanskaya, Eurocrypt 2000) the secret key is x, the public key is h = gx, Encryption of m is c = (gr, hrm), Decryption of c is (gr)-x (hrm) Orange Labs - Research & Development El Gamal cryptosystem Decryption (private key) can easily be distributed No need to trust a single entity Encryption is homomorphic Multiplicative, or additive with a variant: Eh(m)* Eh(m') = Eh(m*m') • Eh(m)* Eh(m') = Eh(m*m') • Eh(m)k = Eh(mk) Comparing the plaintexts of two ciphertexts (without decrypting them) is easy: Threshold Plaintext Equivalence Test (PET): PET(Eh(m1), Eh(m2) = 1 if m1 = m2 and 0 otherwise Re-encryption is easy : mix-nets can be efficiently implemented 11 Computing on encrypted data is easy For simulating an "anonymous channel" For simulating "ballot shuffle" C = (gr, hr.m) can be transformed on a new ciphertext C' of m without knowing m and/or the secret key : C' = (gr+r', hr+r'.m) Orange Labs - Research & Development Cast of Characters Receive their credential during the registration phase Voters Issue credentials in a distributed manner during the registration phase. They share an El Gamal secret key. R is the corresponding public key Registration Authorities Try to verify whether the coerced voter voted as prescribed Coercer Talliers 12 Manage the tallying process. They share an El Gamal secret key. T is the corresponding public key Orange Labs - Research & Development Registration The authorities generate a random value CS Credential List 1 Mr Baker : ER (CB) CS ER (CS) Mr Durand : ER (CD) Mr Traoré : ER (CT) Registration Authorities Mr Smith Mr Smith : ER (CS) Mr Smith's credential is CS. He can send a fake credential FakeCS to the coercer FakeCS Mr Smith 13 Coercer Orange Labs - Research & Development Voting Anatomy of a ballot: (ET (vote), ER (Credential), NIZKPs) Vote under coercion Bulletin Board 1 ET (Bush), ER (FakeCS), NIZKPs Revote Bulletin Board 1 ET (Gore), ER (CS), NIZKPs Mr Smith 14 Orange Labs - Research & Development Tallying Ballot Step 1: Check NIZKPs Bulletin Board 1 ET (Bush), ER (FakeCB), NIZKP ET (Gore), ER (CD), NIZKP ET (Bush), ER (FakeCS), NIZKP ET (Gore), ER (CS), NIZKP ET (Gore), ER (CJ), NIZKP ET (Bush), ER (CK), NIZKP Tallier 1 Tallier 2 ET (Bush), ER (CE), NIZKP . . ET (Bush), ER (CJ), NIZKP Ballots with invalid NIZKP are discarded 15 Orange Labs - Research & Development Tallying Ballot Step 2: Elimination of duplicates using PET Bulletin Board 2 ET (Bush), ER (FakeCB) ET (Gore), ER (CD) ET (Bush), ER (FakeCS) ET (Gore), ER (CS) ET (Gore), ER (CJ) ET (Bush), ER (CE) . . ET (Bush), ER (CJ) Authority 1 Authority 2 Keep the last one for example 16 Orange Labs - Research & Development Tallying Ballot Step 3: Mixing the ballots Tallier 1 Bulletin Board 3 Bulletin Board 4 ET (Bush), ER (FakeCB) ET (Bush), ER (CJ) ET (Bush), ER (FakeCB) ET (Gore), ER (CD) ET (Bush), ER (FakeCS) 17 Tallier 2 Mix Net ET (Gore), ER (CS) ET (Gore), ER (CS) ET (Gore), ER (CD) ET (Bush), ER (CE) . . ET (Bush), ER (CJ) ET (Bush), ER (CE) … . E‘(©) . ET (Bush), ER (FakeCS) … … Orange Labs - Research & Development Tallying Ballot Step 4: Mixing the list of valid credentials Tallier 1 Credential List 1 Credential List 2 Mr Baker : ER (CB) ER (CD) Mr Durand : ER (CD) 18 Tallier 2 Mix Net ER (CS) Mr Traore : ER (CT) ER (CB) Mr Smith : ER (CS) ER (CT) Orange Labs - Research & Development … E‘(©) … … Tallying Ballot Step 5: Checking credentials using PET Authority 1 Authority 2 Bulletin Board 4 Credential List 2 ET (Bush), ER (CJ) ET (Bush), ER (FakeCB) PET ER (CD) ER (CS) ET (Gore), ER (CS) 19 ET (Gore), ER (CD) ER (CB) ET (Bush), ER (CE) . . ET (Bush), ER (FakeCS) ER (CT) Orange Labs - Research & Development … E‘(©) … … Tallying Ballot Step 6: Decrypt valid votes Authority 1 Results Bulletin Board 5 ET (Bush) ET (Gore) Authority 2 Distributed Decryption Bush Gore ET (Gore) Gore ET (Bush) Bush … E‘(©) … … 20 Orange Labs - Research & Development Drawbacks quadratic overhead N the number of voters, V the number of votes (V ≧ N) O(V2) tests for duplicates O(N2) matching tests Civitas: Towards a secure voting system (IEEE Symposium on Security and Privacy 2008) It took five hours to tabulate (only) 500 votes. Denial of service attack / Flooding Attack Other proposals either have been broken or do not really satisfy the coercion-resistance property 21 Acquisti, 2004 Smith, FEE'05 Schweisgut, E-voting 2006 Meng, ICSNC 2007 Orange Labs - Research & Development 3 Improving JCJ « Clarkson, Chong, and Myers [16] have devised and implemented a refined protocol in a system called Civitas, and achieved good scalability by partitioning the population of voters. It is certainly conceivable that there exists a provably secure, coercion-resistant electronic voting scheme with lower complexity— perhaps even linear. Constructing one remains an open problem ». Ari, Juels, Dario Catalano and Markus Jakobsson, CoercionResistant Elections, Towards Trustworthy Elections, LNCS 6000, 2010. 22 Orange Labs - Research & Development Basic Tools Building Blocks 23 Homomorphic Cryptosystem Plaintext Equivalence Test Mix Net Designated Verifier Signature Scheme Orange Labs - Research & Development Designated verifier signature scheme Based on "Boneh-Boyen-Sacham's group signature scheme (Crypto 2004) Setup: Generators g0, g, h of a cyclic group G of order p where DDH is hard Public key of the signer: PK = g0y, Secret key of the signer: SK = y "Signature" on a random message x: Choose a random value r Compute A = (g hx)1/(y+r) "Signature" on x = (A, r) along with a proof that LogA(A-rghx) = Logg0(PK ) Ay = A-rghx Ay+rg-1h-x = 1 (1) (2) Designated Verification: Prove that LogA(A-rghx) = Logg0(PK ) using a Designated Verifier Proof (Jakobsson-Sako – Impagliazzo) Only the (designated) verifier can be convinced by this proof 24 Deciding whether a pair (A, r) is a valid signature on a message x is Orange Labs -to Research & Development equivalent the DDH problem Designated Verifier Proof Designated verifier proof Only convinces the designated verifier Does not convince any other party Prove either the equality of the Discrete logarithms or the knowledge of the private key of the designated verifier Equality of the Discrete Logarithms or private key of the designated verifier 25 Orange Labs - Research & Development Cast of Characters Receive their credential during the registration phase Voters Issue credentials in a distributed manner during the registration phase. They share a secret key of our DVS. R is the corresponding public key Registration Authorities Try to verify whether the coerced voter has voted as prescribed Coercer Talliers 26 Manage the tallying process. They share an El Gamal secret key. T is the corresponding public key Orange Labs - Research & Development Set-up Setup: Generators g0,g,h,m of a cyclic group G of order p (DDH problem is hard) Registration authority: PK=g0y,SK= y Talliers: share y and an ElGamal secret key Registration Credential: (A, r, x) • x and r are randomly chosen by R • A is computed as follows by R: A = (g hx)1/(y+r) A credential is valid iff the voter knows two values x and r such that: Aγ+r=g hx (which is equivalent to Ay+rg-1h-x = 1) Fake credential: (A , r , x’) 27 Orange Labs - Research & Development Registration The registration authorities generate in a distributed manner* a signature (A, r) on a random value x and prove to Mr Smith using a DVP that the signature is valid (A, r, x) Registration Authorities Mr Smith Mr Smith's credential is (A, r, x). He can send a fake credential (A, r, x') to the coercer Is it a valid credential? (A, r, x') Coercer Mr Smith * Wang, Zhang and Feng, Indocrypt 2005 28 Orange Labs - Research & Development Basic Facts about these credentials A passive coercer can't check if a credential is valid or not under the DDH assumption : given g, ga , gb, gc decide whether c = ab mod p or not. A coercer can't forge valid credentials under the q-SDH assumption q q-SDH: given g, gx, …, g(x ), find a pair (c, A) such that Ax+c = g An active coercer can't check if a credential is valid or not (under the Strong DDH Inversion (SDDHI) assumption) * The SDDHI assumption holds in generic groups 29 Orange Labs - Research & Development Anatomy of a ballot Credential : A tuple (A, r, x) such that Ay+rg-1h-x = 1 Ballot 30 (ET [vote], ET [A], ET [Ar], ET [hx], F=mx, P) P is a NIZKP of validity, that is : • ET (vote) is an encryption of a valid vote • Voter knows the plaintext related to ET (A) • Voter knows the "discrete logarithm" of ET [Ar] in the base ET [A] • Voter knows the plaintext related to ET [hx] as well as the discrete logarithm x of this plaintext in the base h. • Voter knows the discrete logarithm of F in the base m and that this discrete logarithm is equal to x Orange Labs - Research & Development Voting Anatomy of a ballot: (ET (vote), ET (A), ET (Ar) ET (hx), mx, Proof) Vote under coercion Bulletin Board 1 ET (Bush), ET (A), ET (Ar) ET (hx'), mx', Proof1 Revote Bulletin Board 1 ET (Gore), ET (A), ET (Ar) ET (hx), mx, Proof2 Mr Smith 31 Orange Labs - Research & Development Tallying phase Step 1: Discard ballots with invalid proofs Bulletin Board 1 ET (Bush), ET (A), ET (Ar) ET (hx'), mx', Proof1 ET (Bush), ET (B), ET (Bs) ET (hy), my, Proof2 ET (Bush), ET (C), ET (Ct) ET (hz), mz, Proof3 ET (Gore), ET (B), ET (Bs) ET (hy), my, Proof4 ET (Bush), ET (D), ET (Du) ET (hv), mw, Proof5 Tallier 1 ET (Gore), ET (A), ET (Ar) ET (hx), mx, Proof6 32 Orange Labs - Research & Development Tallier 2 Tallying phase Step 2: Elimination of duplicates: the ballots that have the same fifth component Bulletin Board 2 ET (Bush), ET (A), ET (Ar) ET (hx'), mx' ET (Bush), ET (B), ET (Bs) ET (hy), my ET (Bush), ET (C), ET (Ct) ET (hz), mz ET (Gore), ET (B), ET (Bs) ET (hy), my ET (Gore), ET (A), ET (Ar) ET (hx), mx Tallier 1 Keep the last one for example 33 Orange Labs - Research & Development Tallier 2 Tallying phase Step 3: Mixing the ballots Tallier 1 Bulletin Board 3 Tallier 2 Bulletin Board 4 ET (Bush), ET (A), ET (Ar) ET (hx') E'T (Gore), E'T (A), E'T (Ar), E'T (hx) Mix Net (hz) E'T (Gore), E'T (B), E'T (Bs), E'T (hy) ET (Gore), ET (B), ET (Bs) ET (hy) E'T (Bush), E'T (C), E'T (Ct), E'T (hz) ET (Gore), ET (A), ET (Ar) ET (hx) E'T (Bush), E'T (A), E'T (Ar), E'T (hx') ET (Bush), ET (C), ET (Ct) ET Reencrypt and permute each row 34 Orange Labs - Research & Development Tallying phase Step 4: Checking credentials Authority 1 Bulletin Board 4 E'T (Gore), E'T (A), E'T (Ar), E'T (hx) E'T (Gore), E'T (B), E'T (Bs), E'T (hy) E'T (Bush), E'T (C), E'T (Ct), E'T (hz) E'T (Bush), E'T (A), E'T (Ar), E'T (hx') Authority 2 1. The authorities compute C=E'T [Ay+rg-1h-x ] from E'T [A], E'T [Ar], E'T [hx] and SK = y 2. Test whether C is an encryption of 1 1. Power C to a fresh random number 'f' and jointly decrypt Cf. 2. D[Cf] =1 ? Yes = valid / No = invalid … E‘(©) and discard ballots … … 35 Orange Labs - Research & Development Tallying phase Step 5: Decrypt valid votes Tallier 1 Bulletin Board 4 E'T (Gore) E'T (Gore) E'T (Bush) Tallier 2 Results Distributed Decryption Gore Gore Bush … E‘(©) … … 36 Orange Labs - Research & Development Security at a glance Voter cannot sell or prove vote No randomization or forced abstention Randomization: Voter can use fake credential to post false ballot… and later vote for real Forced abstention: Voter can vote using an anonymous channel Resistance to shoulder-surfing 37 Attacker cannot tell a false credential from a real one Voter can vote multiple times Weeding policy provides for re-vote E.g., last vote might count (needs extra phase) Orange Labs - Research & Development Computational Definition of Coercion-Resistance (1) The credentials are given to the voters A sets coercive target If b = 0 the coerced voter cast a ballot for and gives a fake credential to A If b = 1 the coerced voter gives her valid credential to A and does not cast a ballot A guesses coin flip 38 Orange Labs - Research & Development Computational Definition of Coercion-Resistance (2) The credentials are given to the voters A sets coercive target the coerced voter evades coercion A' guesses coin flip but it's only input is the final tally 39 Orange Labs - Research & Development Computational Definition of Coercion-Resistance (3) Intuitively, this definition means that in a real protocol execution, A learns nothing more than the election tally Our protocol satisfies the coercion-resistant requirement (in the random oracle model) under the q-SDH and SDDHI assumptions 40 Orange Labs - Research & Development Computational Definition of Verifiability should be negligible Our protocol satisfies the verifiability requirement (in the random oracle model) under the q-SDH assumption 41 Orange Labs - Research & Development trade-offs 4 Client/Server in UV elections 42 Orange Labs - Research & Development Client/Server trade-offs in universally verifiable elections Setup: Generators g0,g,h,m of a cyclic group G of order p (DDH problem is hard) Registration authority: PK=g0y,SK= y Talliers: share y and an ElGamal secret key Encoding of votes for L candidates: 43 candidate 1 → 1, candidate 2 → 2, . . . , candidate L → L. Orange Labs - Research & Development Generation of the ballots Ballot for the candidate j: (A, r, x) • Where x = j and r is randomly chosen by R • A is computed as follows by R: A = (g hx)1/(y+r) 44 The ballot is valid iff : Aγ+r=g hx (which is equivalent to Ay+rg-1h-x = 1) Orange Labs - Research & Development Voting 45 A vote for candidate j: (E[A], E[Ar], E[hx], P) where x = j P is a NIZKP of validity, that is : • E(vote) is an encryption of a valid vote • Voter knows the plaintext related to E(A) • Voter knows the "discrete logarithm" of E[Ar] in the base E[A] • Voter knows the plaintext related to E[hx] as well as the discrete logarithm x of this plaintext in the base h. Orange Labs - Research & Development Tallying Ballot Step 1: Discard ballots with invalid proofs Bulletin Board 1 ET (A), ET (Ar) ET (hx), Proof1 ET (A), ET (Ar) ET (hx), Proof2 ET (C), ET (Ct) ET (hz), Proof3 ET (D), ET (Du) ET (hw), Proof4 Tallier 1 46 Orange Labs - Research & Development Tallier 2 Tallying Ballot Step 4: Checking valid ballots Authority 1 Bulletin Board 2 ET (A), ET (Ar) ET (hx) ET (A), ET (Ar) ET (hx) ET (C), ET (Ct) ET (hz) ET (D), ET (Du) ET (hw) Authority 2 1. The authorities compute C=E[Ay+rg-1h-x ] from E[A], E[Ar], E[hx] and SK = y 2. Test whether C is an encryption of 1 1. Power C to a fresh random number 'f' and jointly decrypt Cf. 2. D[Cf] =1 ? Yes = valid / No = invalid and discard ballots 47 Orange Labs - Research & Development … E‘(©) … … Tallying Ballot Step 6: decrypt and compute the result Bulletin Board 3 ET (hx) ET (hx) ET (hw) Tallier 1 Tallier 2 … E‘(©) … … 48 Orange Labs - Research & Development 5 Conclusion 49 Orange Labs - Research & Development Conclusion 50 JCJ and Civitas are promising, but unfortunately not really practical We design a practical (with linear work factor), publicly verifiable and coercion- resistant voting scheme for remote elections Not just practical, but essential for Internet voting! What about Perfect anonymity? Usability issues: would average people be able to memorize 10 alphanumeric characters? How to remove the assumption related to the voter's computer? Details: Araujo, Foulle, Traoré, Towards Trustworthy Elections 2010 and Araujo, Ben Rajeb, Robbana, Traoré, Youssfi, CANS 2010. Orange Labs - Research & Development
© Copyright 2026 Paperzz