Recipt-free Voting
Through Distributed Blinding
Ari Juels
RSA Laboratories
Joint work with Markus Jakobsson
Coercion-free Voting
Through Distributed Blinding
Ari Juels
RSA Laboratories
Joint work with Markus Jakobsson
Why do we want coercion-free voting?
 Blackmail
with a long arm
 Vote buying
– Anonymous peer-to-peer
networks
– Vote-buying schemes (e.g., voteauction.com; http://62.116.31.68/)
 Home
voting
– Shoulder surfing
– Proximate coercion
Attack model
 Attacker
cannot interfere with registration
process (otherwise can simulate voter)
 Attacker can provide keying or other material
to voter prior to vote (even entire ballot)
 Two possibilities during vote:
– Assume no attacker presence at time of
vote (countermeasure: receipt-freeness)
– Assume attacker sometimes present
(countermeasure: coercion-freeness)
 Attacker has access to all public information,
i.e., encrypted and decrypted ballots
Cast of characters
 Voter
(Alice)
I Like
Ike
 Voting
authority
 Attacker
Some visual notation
 Ciphertext
 Mix
network (publicly verifiable)
Hirt-Sako approach
 IDEA:
Voter commits publicly to vote,
but ballot preparation is secret
 TOOLS (scheme-specific):
– Designated verifier proofs
– Untappable channels
DV Proof
Ballot blinding
blinded
ballot:
P = P1 P2
Authority 1
Authority 2
P1
P2
Bore
Gush
Nadir
Voting
Authority 1
DV Proof
of P1
P = P1 P2
Authority 2
DV Proof
of P2
Voting
Nadir
=
Bore
Alice’s
 = 1 2
vote
Gush
Bore
Drawbacks
 Cost
per ballot is linear in number of
candidates 
 Requires untappable channels for vote
 Not fully coercion resistant, e.g., not
resistant to shoulder surfing
 Not resistant to collusion between
adversary and authorities
 Subject to “randomization” attack 
Randomization attack
Gush
Random
choice
Now Alice is unlikely to select her intended choice, Bore
“Proof” that collusion resistance is
not possible with public verifiability
 We
must identify voter in order to have
public verifiability
 If attacker controls an authority, he can
do “spot checking”
 In order not to risk “spot checking”,
voter must reveal all communication
 Thus, untappable channels are
breached and all transcripts are
revealed
Our scheme represents a
counterexample to this “proof”...
(and more?)
New tool for our scheme
 Anonymous
credential = Voting key
– Essentially a group signature key
– Carries hidden, identifying tag, called tagi
– Special enhancement: Also includes
validator vali = B(tagi), where B is threshold
blinding function
tagi
vali
Some notation
B’() denote another, independent
threshold blinding function
 Let E[m] denote El Gamal ciphertext on
m:
 Let
– Private key held distributively
– Authorities can jointly decrypt ciphertext
– B(E[m]) = E[B(m)] (due to El Gamal
homomorphism
Our new scheme
 Core
ideas:
– Voter employs anonymous credential
– We don’t know who voted (at time of
voting) or what was voted
– Validator required for vote to count
– Adversary cannot tell whether or not
validator is correct
 Attacker
not
cannot tell whether a vote is valid or
Anatomy of a ballot
validator = B(tagi)
tagi vali
proofi
tagi vali
NIZK proof that
tagi ciphertext is
valid for credential
votei
Anonymous credential
signature
Tallying Ballots
Step 1: Check group signatures and proofs
tag1 val1
proof1
vote1
?
tag2 val2
proof2
vote2
?
tag3 val3
proof3
vote3
tagn
proofn
voten
..
.
val
n
?
?
Authority 1
Authority 2
Tallying Ballots
Step 2: Mixing ballots
Authority 1 Authority 2
tag1
val1
vote1
tag2
val2
tagn’
re-encryption
tag1
val1
vote1
..
.
vote2
tag2
val2
vote2
valn’
voten’
tagn’
valn’
voten’
..
.
Tallying Ballots
Step 3: Joint blinding and decryption of validators
Authority 1 Authority 2
tag1
val1
vote1
tag1 B’(val1) vote1
tag2
val2
..
.
vote2
tag2 B’(val2) vote2
...
tagn’
valn’
voten’
tagn’ B’(valn’) voten’
..
.
Tallying Ballots
Step 4: Elimination of duplicates by validator
Authority 1 Authority 2
tag1 B’(val1) vote1
tag2 B’(val2) vote2
...
tag3 B’(val3) vote3
tagn’ B’(valn’) voten’
equal validators
Tallying Ballots
Step 5: Verification of validators
Authority 2
Authority 1
If correct, B’(vali) = B’(B(tagi))
E[tag2]
tagi
B’(vali)
votei
•Authorities compute B’(B(E[tagi])) = E[B’(B(tagi))] and jointly decrypt
•If result is B’(vali), then validator is correct
•Otherwise ballot is invalid and is thus removed
Tallying Ballots
Step 6: Joint decryption of valid votes
Authority 2
Authority 1
vote1
=
Gush
vote2
Bore
vote3
Bore
Coersion is eliminated
 Key
idea: Attacker cannot tell a false
validator from a real one
– If attacker demands voting key, voter can provide
false validator
– If attacker demands that voter cast a certain type
of vote, and demands pointer(s)
Voter can vote as demanded using false validator
 Voter can re-vote using correct validator

– This holds even if attacker colludes with a minority
of authorities
Well, there’s
always Florida
Features of scheme
 Overhead
on top of mixing process is
minimal, thus the scheme is quite practical
– Cost is effectively independent of number of
candidates

No need for untappable channels during vote
– We need some access to anonymous channels
Resistant to “randomization” attacks
 Resistant to collusion with authorities
 Potential resistance to shoulder-surfing attack

Additions




Votes can be countersigned by polling station,
indicating priority
If registrar publishes voting roll with blinded
validators, we can verify publicly that all participants
are on roll
– Requires an additional mixing step
Validator may be constructed in threshold manner,
distributed with proofs and re-encrypted by registrar
Careful modeling required and largely
unaddressed
Questions?
Appendix: Improvement to Hirt-Sako
Idea: Secret sharing of vote
V1
V2
Authority 1
Authority 2
V1
Vote = V1V2
V2
Idea: Secret sharing of vote
V1
V2
Authority 1
Authority 2
ZK-DV Proof of
correct encryption
Vote = V1V2
ZK-DV Proof of
correct encryption
And then…
Vote
=
V1
x
V2
Remarks
 No
randomization attack possible
 Cost is (1) per vote
 By letting Vi = -1 or 1, we can check
validity