Lagrangian E-Voting: e-Voting Concept Our contribution - - PowerPoint PPT Presentation

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Lagrangian E-Voting: Verifiability on Demand and Strong Privacy

Łukasz Krzywiecki, Mirosław Kutyłowski

Institute of Mathematics and Computer Science Wrocław University of Technology

TRUST 2010 21-23 June 2010, Berlin

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Outline

1

e-Voting Concept Our contribution

2

Scheme Description Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Remote Voting

motivation

Necessity of remote voting mobility of voters (polling stations model and voting at the place of residence is a 19 century model) a growing number of disabled and/or aged people increasing the number of democratic decisions? Solutions postal voting remote voting

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Postal Voting

properties

Advantages usability simple, transparent no electronics involved Threats requires very reliable post system (so it may work in Switzerland, but not in Poland) vote selling so easy . . . coercion problems

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Postal Voting

properties

Advantages usability simple, transparent no electronics involved Threats requires very reliable post system (so it may work in Switzerland, but not in Poland) vote selling so easy . . . coercion problems

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Remote Voting

advantages and disadvantages

Advantages instantaneous confirmation about arrival of a vote

• nce deployed cheap in operation

scalable Threats how can you trust your computer?! (vote modified, no confidentiality,...) vote selling so easy . . . (downloading software, digital reward...) coercion problems

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Remote Voting

advantages and disadvantages

Advantages instantaneous confirmation about arrival of a vote

• nce deployed cheap in operation

scalable Threats how can you trust your computer?! (vote modified, no confidentiality,...) vote selling so easy . . . (downloading software, digital reward...) coercion problems

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Remote Voting

solutions

Idea 1 - blind computer the computer performs some operations but does not know their meaning the voter has some information from an independent channel hidden from the PC no possibility to change a vote by the computer not even to a random one no possibility to betray the voter’s preferences

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Remote Voting

solutions

Idea 2 - local verifiability some information published on bulletin board a voter obtains some information that can be checked against bulletin board the voter can check that her/his vote has been counted ... but cannot prove anything about the vote cast

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Remote Voting

solutions

Idea 3 - redoing a voter can change his vote until the end of election day coercion requires physical supervision during the whole election period

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Remote Voting

weakening crypto

What happens in 10 years? sensitive informations published on bulletin board in

• rder to enable verifiability

well protected according to the crypto’s state-of-the-art ... but in 10 years cryptanalysis may break it and reveal voter’s preferences Threat the voters can be scared to vote against some parties as they make revenge in 10 years

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Our goal

Forward security in e-voting

1 limit verification to its primary purpose - avoiding

election frauds

2 verification possible only in front of a judge

(and OECD ... observers)

3 minimal information principle - destroy verification keys

as soon as the legal situation cannot change

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Our contribution

On top approach We do not design a new scheme but provide a method for securing schemes for which: the voter has to fill a number a bubbles on the screen of his PC all security features are already granted, except for forward security

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Our contribution

ID card PC System (BB,CA) Court (Verification)

Basic Properties

1 some computations are done inside a personal ID card

(the voters know that borrowing an ID card is very risky!)

2 verification can be performed only in an election court, 3 verification cannot be used outside the court due to its

zero knowledge properties

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Registration

Interaction: ID card – RA ID card Registartion Authority

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Registration

Key Generation ID card

Generates keys: (cs,cp)

Registartion Authority

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Registration

Request Signing ID card

Generates keys: (cs,cp)

Registartion Authority cp,Sign(cp)

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Registration

Passing Request to RA ID card

Generates keys: (cs,cp)

Registartion Authority cp,Sign(cp)

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Registration

Request Verification ID card

Generates keys: (cs,cp)

Registartion Authority cp,Sign(cp) Ver(Sign(cp)

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Registration

Blind Signature Computing ID card

Generates keys: (cs,cp)

Registartion Authority cp,Sign(cp) Ver(Sign(cp) s:= Blind_Sign(cp)

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Registration

Passing Blind Signature to ID card ID card

Generates keys: (cs,cp)

Registartion Authority cp,Sign(cp) Ver(Sign(cp) s:= Blind_Sign(cp)

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Registration

Token Creation ID card

Generates keys: (cs,cp)

Registartion Authority cp,Sign(cp) Ver(Sign(cp) s:= Blind_Sign(cp) x:= (cp,s)

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Ballot Structure

Ballot

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Ballot Structure

Triple

Ballot

t:= (x, y, z)

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Ballot Structure

Token

Ballot

t:= (x, y, z)

Token

(cp, s)

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Ballot Structure

Vote Component

Ballot

t:= (x, y, z)

Token

(cp, s)

y:= Hash( SignID(x, z) )

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Ballot Structure

Activation Counter

Ballot

t:= (x, y, z)

Token

(cp, s)

y:= Hash( SignID(x, z) ) Activation counter

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Ballot Structure

Signature over Triple

Ballot

t:= (x, y, z)

Token

(cp, s)

y:= Hash( SignID(x, z) ) Activation counter

Signcs(t)

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Casting a Vote

(x, y1, z1)

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Casting a Vote

Using a Number of Triples

(x, y1, z1)

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Casting a Vote

Triple Encryption with Designated Receiver

(x, y1, z1)

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Casting a Vote

Triple Encryption with Designated Receiver

(x, y1, z1)

EDR(Ballot1) EDR(Ballot1) EDR(Ballot1)

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Casting a Vote

Sending Components to BB

(x, y1, z1)

EDR(Ballot1) EDR(Ballot1) EDR(Ballot1)

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Casting a Vote

Sending Components to BB

(x, y1, z1)

EDR(Ballot1) Ballot Box Ballot Box EDR(Ballot1) EDR(Ballot1) Ballot Box

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Casting a Vote

BB Confirmation

(x, y1, z1)

EDR(Ballot1) Ballot Box Ballot Box EDR(Ballot1) EDR(Ballot1) Ballot Box

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Casting a Vote

BB Confirmation

(x, y1, z1)

EDR(Ballot1) Ballot Box Ballot Box EDR(Ballot1) EDR(Ballot1) Ballot Box C1 C2 C3 confirmations

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Ballots mixing

Ballot Box Ballot Box Ballot Box

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Ballots mixing

Ballot Box Ballot Box Ballot Box

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Ballots mixing

Ballot Box Ballot Box Ballot Box

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Ballots mixing

Ballot Box Ballot Box Ballot Box

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Ballots mixing

Ballot Box Ballot Box Ballot Box

Cascade of mixing servers

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Ballots mixing

Ballot Box Ballot Box Ballot Box Counting Authority

Cascade of mixing servers

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Counting Votes

Grouping Triples of one Voter

(x, y1, z1)

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Counting Votes

Counting Activation Trigger for Yes Polynomial

(x, y1, z1)

∑ zi=

? 0

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Counting Votes

Building a Polynomial Share

(x, y1, z1) (x, )

F ∑ yi F ∑ yi

∑ zi=

? 0

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Counting Votes

Undeniable Signature Over yi components

(x, y1, z1) (x, )

F ∑ yi F ∑ yi

∑ zi=

? 0

F - undeniable

signature

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Counting Votes

A Point

(x, y1, z1) (x, )

F ∑ yi F ∑ yi

∑ zi=

? 0

F - undeniable

signature

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Counting Votes

Points of other Voters

(x, y1, z1) (x, )

F ∑ yi F ∑ yi

∑ zi=

? 0

F - undeniable

signature

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Counting Votes

Polynomial Interpolation

(x, y1, z1) (x, )

F ∑ yi F ∑ yi

∑ zi=

? 0

Wyes

F - undeniable

signature

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Publishing Results

Wyes

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Publishing Results

Erasing Original Interpolation Set

Wyes

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Publishing Results

Setting New Interpolation Set

Wyes

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Publishing Results

Setting New Interpolation Set

Wyes

( 1, Wyes(1) ), ..., ( N, Wyes(N) )

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Publishing Results

Publishing the New Interpolation Set

Wyes

( 1, Wyes(1) ), ..., ( N, Wyes(N) )

New interpolation set is published

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Verification by a Voter

Voter Present Ballots and Confirmations from BB

(x, y1, z1)

C1

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Verification by a Voter

Checking the Equality of Cardinalities

(x, y1, z1)

C1

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Verification by a Voter

Checking the Equality of Cardinalities

(x, y1, z1)

C1

no.of ballots=

? no.of confirmations

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Verification by a Voter

Counting Activation Trigger

(x, y1, z1)

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Verification by a Voter

Counting Activation Trigger

(x, y1, z1)

∑ zi=

? 0

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Verification by a Voter

Checking the Share of Polynomial

(x, y1, z1)

∑ zi=

? 0

W yesx=

? F∑ yi

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Verification by a Voter

Interactive Verification of Undeniable Signature

(x, y1, z1)

∑ zi=

? 0

W yesx=

? F∑ yi Interactive zero knowledge verification with CA

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Verification by a Voter

Features

Basic Properties

1 it is risky for CA to modify (or not to include) a vote 2 the value

F(

• yi)

is proved in the court only

3 recorded session proof has no value

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Number of Votes Verified

Features

Process a procedure to ensure that the number of votes cast is correct – see the paper for details

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Vote selling

Features

Vote selling does not work

1 the voter can always send an additional triple — flip the

vote value

2 additional triple can be sent before selling the vote

so retaining the ID card from a voter or vote buying just before the end of the election day does not work

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Perspectives

1 the keys for F must be kept in an HSM and destroyed

physically once the results are fixed

2 even if F becomes broken in 10 years it is hard to say

which points of the polynomial have been used for interpolation

Lagrangian E-Voting e-Voting

Concept Our contribution

Scheme Description

Registration Ballot Structure Casting a Vote Mixing Cascades Verification by a Voter Verification

Thank you for your attention! contact miroslaw.kutylowski@pwr.wroc.pl