Masked Ballot Voting for Receipt-Free Online Elections Roland Wen - - PowerPoint PPT Presentation

Masked Ballot Voting for Receipt-Free Online Elections

Roland Wen and Richard Buckland

School of Computer Science and Engineering The University of New South Wales Sydney, Australia {rolandw,richardb}@cse.unsw.edu.au

VOTE-ID 2009

1 / 35

Outline

Background Receipt-Freeness Designing Receipt-Free Schemes Masked Ballot Voting Scheme Overview Voting Scheme Discussion

2 / 35

Background Receipt-Freeness

Receipt-Freeness in Online Elections

◮ Online elections have great potential but serious concerns remain ◮ Elections have unique and challenging security requirements

◮ Secret ballot prevents bribery and coercion ◮ ⇒ Voters can lie to 3rd parties

◮ Receipt-freeness: voters cannot prove how they voted

◮ No receipt (evidence) for the vote 3 / 35

Background Receipt-Freeness

Why Is Receipt-Freeness Difficult?

• 1. Electronic data is easy to copy

◮ ⇒ Easy to produce electronic evidence for the vote

• 2. Plausible there could be a powerful adversary who intercepts all

Internet communication (eg packet sniffing by ISPs)

◮ ⇒ Verify evidence

◮ Need secret information that prevents adversary from verifying

evidence

◮ ⇒ Strong assumptions during the election ◮ Hard to realise assumptions in practice 4 / 35

Background Designing Receipt-Free Schemes

Example: A Flawed Scheme

◮ Hypothetical voting scheme: voters and authorities only communicate

via the Internet

5 / 35

Background Designing Receipt-Free Schemes

Example: A Flawed Scheme

◮ Hypothetical voting scheme: voters and authorities only communicate

via the Internet

random 20 E ballot 1337 vote 42 Gromit casts 1337 Internet VOTER AUTHORITIES 6 / 35

Background Designing Receipt-Free Schemes

Example: A Flawed Scheme

◮ Hypothetical voting scheme: voters and authorities only communicate

via the Internet

random 20 E ballot 1337 vote 42 Gromit casts 1337 Internet VOTER ADVERSARY AUTHORITIES 7 / 35

Background Designing Receipt-Free Schemes

Example: A Flawed Scheme

◮ Hypothetical voting scheme: voters and authorities only communicate

via the Internet

random 20 E ballot 1337 vote 42 Gromit casts 1337 Internet random 19 vote 41 random 19 E vote 41 VOTER ADVERSARY AUTHORITIES ballot 9009 ≠ 1337 You lying dog! Gotcha! 8 / 35

Background Designing Receipt-Free Schemes

• 1. Untappable Channels Approach

◮ Untappable channels: adversary cannot intercept messages

9 / 35

Background Designing Receipt-Free Schemes

• 1. Untappable Channels Approach

◮ Untappable channels: adversary cannot intercept messages

VOTER ? ballot vote Untappable channel AUTHORITIES ? ballot vote 42 1337 41 9009 ... ... 10 / 35

Background Designing Receipt-Free Schemes

• 1. Untappable Channels Approach

◮ Untappable channels: adversary cannot intercept messages

? ballot 1337 vote 42 Gromit casts 1337 Internet VOTER AUTHORITIES ? ballot vote Untappable channel AUTHORITIES ? ballot vote 42 1337 41 9009 ... ... 11 / 35

Background Designing Receipt-Free Schemes

• 1. Untappable Channels Approach

◮ Untappable channels: adversary cannot intercept messages

? ballot 1337 vote 42 Gromit casts 1337 Internet Gromit 1337 vote 41 VOTER ADVERSARY AUTHORITIES ballot 1337? ?? vote 41 ? ballot vote Untappable channel AUTHORITIES ? ballot vote Is this the real table? ...I'm stuffed! 42 1337 41 9009 ... ... ?? ballot vote 12 / 35

Background Designing Receipt-Free Schemes

Problems with Untappable Channels

◮ Difficult to implement in practice

◮ Internet susceptible to eavesdropping by well-funded adversary

◮ Resolving disputes

◮ If voter claims authority is dishonest during the election, who is lying?

◮ Distributing trust among multiple authorities

◮ Voter must know identity of at least one trusted authority to lie safely ◮ Voter will be caught out if lying about messages from a corrupt

authority

◮ ⇒ Typically have to assume no authorities collude with the adversary

to bribe or coerce voters

13 / 35

Background Designing Receipt-Free Schemes

• 2. Anonymous Channels Approach

◮ Anonymous channels: adversary cannot identify senders

14 / 35

Background Designing Receipt-Free Schemes

• 2. Anonymous Channels Approach

◮ Anonymous channels: adversary cannot identify senders

Gromit is 86 Untappable channel REGISTRAR VOTER 15 / 35

Background Designing Receipt-Free Schemes

• 2. Anonymous Channels Approach

◮ Anonymous channels: adversary cannot identify senders

86 casts 1337 Anonymous channel AUTHORITIES Gromit is 86 Untappable channel REGISTRAR random 20 E ballot 1337 vote 42 VOTER Election start 16 / 35

Background Designing Receipt-Free Schemes

• 2. Anonymous Channels Approach

◮ Anonymous channels: adversary cannot identify senders

86 casts 1337 Anonymous channel AUTHORITIES Gromit is 86 Untappable channel REGISTRAR random 20 E ballot 1337 vote 42 VOTER random 19 E ballot 9009 vote 41 99 casts 9009 Election start 17 / 35

Background Designing Receipt-Free Schemes

• 2. Anonymous Channels Approach

◮ Anonymous channels: adversary cannot identify senders

86 casts 1337 Anonymous channel ADVERSARY AUTHORITIES Gromit is 86 Untappable channel REGISTRAR random 20 E ballot 1337 vote 42 VOTER random 19 E ballot 9009 vote 41 99 casts 9009 Election start Who are 86 and 99? random 19 vote 41 I am 99 random 19 E ballot 9009 vote 41 Is Gromit really 99? ...I'm stuffed! 18 / 35

Background Designing Receipt-Free Schemes

Problems with Anonymous Channels

◮ Difficult to implement in practice

◮ Hard to guarantee anonymity over Internet ◮ Eg mix-nets still require untappable channels between voters and

mix-net

◮ Problems remain with offline untappable channels

◮ Resolving disputes ◮ Distributing trust 19 / 35

Background Designing Receipt-Free Schemes

• 3. Trusted Randomisers Approach

◮ Trusted randomisers: generate secret randomness

20 / 35

Background Designing Receipt-Free Schemes

• 3. Trusted Randomisers Approach

◮ Trusted randomisers: generate secret randomness

Untappable channel random 20 E ballot 1337 vote 42 VOTER RANDOMISER 21 / 35

Background Designing Receipt-Free Schemes

• 3. Trusted Randomisers Approach

◮ Trusted randomisers: generate secret randomness

Untappable channel random 20 E ballot 1337 vote 42 Gromit casts 1337 Internet VOTER AUTHORITIES RANDOMISER 22 / 35

Background Designing Receipt-Free Schemes

• 3. Trusted Randomisers Approach

◮ Trusted randomisers: generate secret randomness

Untappable channel random 20 E ballot 1337 vote 42 Gromit casts 1337 Internet vote 41 random ? E vote 41 VOTER ADVERSARY AUTHORITIES ballot ? RANDOMISER What is the random value? ...I'm stuffed! 23 / 35

Background Designing Receipt-Free Schemes

Problems with Trusted Randomisers

◮ A lot of trust involved

◮ Hard to guarantee local channel is untappable ◮ Smart cards are tamper-resistant not tamper-proof ◮ Single point of failure 24 / 35

Masked Ballot Voting Scheme

Masked Ballot Voting Scheme

Background Receipt-Freeness Designing Receipt-Free Schemes Masked Ballot Voting Scheme Overview Voting Scheme Discussion

25 / 35

Masked Ballot Voting Scheme Overview

Approach

◮ How to avoid strong assumptions during the election?

◮ Voters and authorities can only communicate via the Internet ◮ Adversary can intercept all messages

◮ ⇒ Voter must construct ballot without any assistance during the

election

◮ ⇒ Adversary can verify the voter’s private data against eavesdropped

ballot

◮ ⇒ Private data must appear to correspond with any possible vote

◮ How does a voter indicate the actual vote?

◮ Vote must depend on secret information obtained before the election 26 / 35

Masked Ballot Voting Scheme Overview

Masked Ballot Voting

◮ Assumption: untappable channels available only before the election

(offline registration stage)

◮ All communication during the election is posted to authenticated

bulletin board via Internet

◮ Purely a voting scheme

◮ The output is an encrypted vote for each voter ◮ Generic: independent of the vote encoding

◮ Subsequent counting scheme calculates the result

27 / 35

Masked Ballot Voting Scheme Voting Scheme

Registration Stage

mask 11 Untappable channel REGISTRAR VOTER

◮ A registrar provides each voter V with a secret mask

• 1. Randomly select a mask m
• 2. Encrypt m → m
• 3. Post (V , m) to bulletin board
• 4. Construct designated-verifier proof d that m is an encryption of m
• 5. Send (m, d) to V via an untappable channel

28 / 35

Masked Ballot Voting Scheme Voting Scheme

Voting Stage

AUTHORITIES mask 11 Untappable channel REGISTRAR VOTER Election start Gromit casts 1337 Internet random 20 E ballot 1337 vote 42 – mask 11 31

◮ A voter casts a masked ballot for a vote v using mask m

• 1. Encrypt (v − m) → v − m
• 2. Construct proof p of plaintext knowledge
• 3. Post (v − m, p) to the bulletin board via the Internet

29 / 35

Masked Ballot Voting Scheme Voting Scheme

Unmasking Stage

AUTHORITIES mask 11 Untappable channel REGISTRAR VOTER Election start Gromit casts 1337 Internet random 20 E ballot 1337 vote 42 – mask 11 31

◮ For each voter, any party can unmask the ballot v − m

◮ Encrypt with threshold homomorphic cryptosystem, eg Paillier ◮ Use additive homomorphism to combine m posted by the registrar

and v − m posted by the voter

◮ v − m ⊞ m = v 30 / 35

Masked Ballot Voting Scheme Voting Scheme

Thwarting the Adversary

ADVERSARY AUTHORITIES mask 11 Untappable channel REGISTRAR VOTER Election start random 20 Is Gromit's real mask 10? ...I'm stuffed! Gromit casts 1337 Internet vote 41 mask 10 random 20 E ballot 1337 vote 41 – mask 10 31 random 20 E ballot 1337 vote 42 – mask 11 31

◮ Gromit cannot lie about input 31 (v − m)

◮ But can lie about m and hence v

• 1. Attacks after ballot is cast
• 2. Attacks before ballot is cast

31 / 35

Masked Ballot Voting Scheme Voting Scheme

Proving Receipt-Freeness

◮ Moran and Naor’s simulation-based model

◮ Receipt-free against an adaptive adversary

◮ Ideal world captures properties of ideal voting protocol

◮ Only allows adversary to force voters to abstain or vote randomly ◮ Simulate the real protocol ◮ ⇒ Real protocol is as receipt-free as ideal protocol

◮ Voting protocol has a coercion-resistance strategy

◮ Describes how voters thwart the adversary’s instructions 32 / 35

Discussion

Discussion

Background Receipt-Freeness Designing Receipt-Free Schemes Masked Ballot Voting Scheme Overview Voting Scheme Discussion

33 / 35

Discussion

Limitations of Masked Ballot Assumptions

◮ Secret information (mask) sent before election cannot be re-used

◮ Less convenient for voters

◮ Voters cannot provide proofs of vote validity

◮ May require extra work for authorities to remove invalid votes before

the counting

◮ Voters can still prove if they abstained or voted randomly

◮ Coercion-resistance property requires anonymous channels ◮ So only receipt-freeness is achievable 34 / 35

Discussion

Summary

◮ All approaches to receipt-freeness use untappable channels to protect

some secret information

◮ Different trade-offs

◮ Masked Ballot Voting Scheme achieves receipt-freeness with a more

practical assumption during the election

◮ Only relies on standard cryptographic components during the election ◮ Shifts problematic assumptions to before the election

◮ Many good cryptographic solutions

◮ Biggest remaining problem is to resolve practical issues ◮ Eg authentication, DOS, malware, shoulder-surfing 35 / 35