Remote Electronic Voting can be Efficient, Verifiable and - PowerPoint PPT Presentation

Remote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant Roberto Araújo, Amira Barki, Solenn Brunet and Jacques Traoré 1st Workshop on Advances in Secure Electronic Voting Schemes – VOTING’16 February 26th, 2016

Content 1. Previous Work 2. Building Blocks 3. Our Electronic Voting Scheme 4. Conclusion Remote e-voting: Efficient, Verifiable and Coercion-Resistant 2 Orange Labs

Previous Work (Juel, Catalano and Jakobsson, WPES 2005)  JCJ formally defined the property of coerc ercion ion-resist esistance ance, by considering possible attacks: – constrain a voter to cast given or random votes – force her to reveal her private data – vote on her behalf – force her to abstain  Main idea: a coercer must be unable to distinguish a fake credential from a valid one. ⇒ for 𝑂 ballots, the tallying complexity is in 𝒫 𝑂 2 Remote e-voting: Efficient, Verifiable and Coercion-Resistant 3 Orange Labs

Motivations Linear Multiple Practical for Completely complexity elections real polls anonymous AFT07 AT13 CH11 SKHS11 Remote e-voting: Efficient, Verifiable and Coercion-Resistant 4 Orange Labs

Building Blocks  Designated Verifier Proof (DVP) which cannot be transferred: Only the designated verifier can be convinced by this proof  Non-Interactive Zero-Knowledge Proof of Knowledge (NIZKP): Enable a prover to convince a verifier that he knows some secret  ElGamal Cryptosystem  Algebraic MAC Scheme  Sequential Aggregate MAC Scheme Remote e-voting: Efficient, Verifiable and Coercion-Resistant 5 Orange Labs

ElGamal Cryptosystem  Given 𝔿 = 𝑕 cyclic group of prime order 𝑞 – private key 𝑦 , public key 𝑞𝑙 = 𝑕 𝑦 – encryption of 𝑛: 𝐹 𝑞𝑙 𝑛 = 𝑕 𝑠 , 𝑛ℎ 𝑠 – decryption of 𝐹 𝑞𝑙 𝑛 : 𝑛ℎ 𝑠 𝑕 𝑠 −𝑦  Properties: – multiplicatively homomorphic: 𝐹 𝑞𝑙 𝑛 1 × 𝐹 𝑞𝑙 𝑛 2 = 𝐹 𝑞𝑙 [𝑛 1 × 𝑛 2 ] – distribution of the private key (i.e. the decryption) – comparison of two ciphertexts via Plaintext Equivalence Test (PET): 𝑄𝐹𝑈 𝐹 𝑞𝑙 𝑛 1 , 𝐹 𝑞𝑙 𝑛 2 = 1 if 𝑛 1 = 𝑛 2 and 0 otherwise – easy re-encryption: 𝐹 𝑞𝑙 𝑛 = (𝑕 𝑠 , 𝑛ℎ 𝑠 ) can be transformed in 𝐹 𝑞𝑙 𝑛 ′ = (𝑕 𝑠+𝑠 ′ , 𝑛ℎ 𝑠+𝑠 ′ ) Remote e-voting: Efficient, Verifiable and Coercion-Resistant 6 Orange Labs

Algebraic MAC Scheme (Chase, Meiklejohn, Zaverucha, ACM CCS2014)  Setup 1 𝑙 : Generate 𝑞𝑞 = (𝔿, 𝑞, 𝑕, ℎ) such that – 𝔿 cylic group of prime order 𝑞 , where DDH is hard – 𝑕, ℎ two of its generators  KeyGen (𝑞𝑞) : – secret key 𝑡𝑙 = 𝑦 0 , 𝑦 1 , 𝑦 2 – optionally, the public parameters (𝐷 𝑦 0 = 𝑕 𝑦 0 ℎ 𝑦 , 𝑌 1 = ℎ 𝑦 1 , 𝑌 2 = ℎ 𝑦 2 )  MAC (𝑡𝑙, 𝑛 1 , 𝑛 2 ) : – choose 𝑣 randomly – generate 𝜏 = (𝑣, 𝑣 ′ ) where 𝑣 ′ = 𝑣 𝑦 0 +𝑛 1 𝑦 1 +𝑛 2 𝑦 2 ? 𝑣′  Verify (𝑡𝑙, 𝑛 1 , 𝑛 2 , 𝜏) : 𝑣 ≠ 1 and 𝑣 𝑦 0 +𝑛 1 𝑦 1 +𝑛 2 𝑦 2 = Deciding whether 𝑛, 𝑣, 𝑣 ′ = 𝑣 𝑦 0 +𝑛𝑦 1 is a valid MAC on 𝑛 is equivalent to the DDH problem. Remote e-voting: Efficient, Verifiable and Coercion-Resistant 7 Orange Labs

Our Sequential Aggregate MAC Scheme  Setup: 𝑞𝑞 = (𝔿, 𝑞, 𝑕, ℎ) – 𝑡𝑙 1 = 𝑦 0 , 𝑦 1 , secret key of the first signer 𝒯 1 – 𝑡𝑙 2 = 𝑦 2 , secret key of the second signer 𝒯 2 – 𝐷 𝑦 0 = 𝑕 𝑦 0 ℎ 𝑦 , 𝑌 1 = ℎ 𝑦 1 , 𝑌 2 = ℎ 𝑦 2 , associated public parameters  Computation of MAC on 𝑛 1 by 𝒯 1 and 𝑛 2 by 𝒯 2 : 𝒯 1 𝒯 2 𝑣, 𝑣 ′ = 𝑣 𝑦 0 +𝑛 1 𝑦 1 , 𝑛 1 𝑥 = 𝑣 𝑢 , 𝑥 ′ = 𝑣 ′ 𝑣 𝑛 2 𝑦 2 𝑢 , 𝑛 1 , 𝑛 2 receiver ? 𝑥 𝑦 0 +𝑛 1 𝑦 1 +𝑛 2 𝑦 2  Verification: w ≠ 1 and 𝑥 ′ = existentially unforgeable Remote e-voting: Efficient, Verifiable and Coercion-Resistant 8 Orange Labs

1. Setup Our eVote Scheme 2. Registration 3. Voting 4. Tallying Receive credential in order to cast a vote voter ers Issue credentials in a distributed manner during the registration step registr egistrat ation ion auth thor orit itie ies Force voters to make a particular vote and try to verify it coer oercer ers Jointly manage the tallying phase ying auth tall llyin thor orit ities es Remote e-voting: Efficient, Verifiable and Coercion-Resistant 9 Orange Labs

Security Model  Registration occurs through an untappable channel ⇒ no adversaries at this step  Votes may be posted anonymously  Bulletin Board is universally accessible  Attacker may: – access to all public information – corrupt a subpart of the election authorities – coerce voters: requests secrets, forces a particular vote… Voters trust their voting client. Remote e-voting: Efficient, Verifiable and Coercion-Resistant 10 Orange Labs

1. Setup Set-Up 2. Registration 3. Voting 4. Tallying  Set-Up: – 𝑕, ℎ, 𝑝 generators of a cyclic group 𝔿 of prime order 𝑞 – registrars ℛ : share 𝑡𝑙 = (𝑦 0 , 𝑦 1 ) , 𝑞𝑙 = (𝐷 𝑦 0 = 𝑕 𝑦 0 ℎ 𝑦 , 𝑌 1 = ℎ 𝑦 1 ) – talliers 𝒰 : share 𝑡𝑙 and an ElGamal keypair 𝑈, 𝑈  Registration: – credential 𝑡, 𝑣, 𝑣 ′ : – 𝑡 and 𝑣 chosen randomly by ℛ – 𝑣 ′ = 𝑣 𝑦 0 +𝑡𝑦 1 computed by ℛ – in case of coercion, fake credential: 𝑡 ′ , 𝑣, 𝑣 ′ (DDH assumption) Remote e-voting: Efficient, Verifiable and Coercion-Resistant 11 Orange Labs

1. Setup Registration 2. Registration 3. Voting 4. Tallying  ℛ jointly compute (𝑣, 𝑣 ′ = 𝑣 𝑦 0 +𝑡𝑦 1 ) with 𝑡, 𝑣 cooperatively selected and prove its validity through a DVP: 𝑡, 𝑣, 𝑣 ′ , DVP  If a coercer asks to her credential, she can send a fake one: (𝑡 ′ , 𝑣, 𝑣 ′ ) The DVP can only convince the designated voter! Remote e-voting: Efficient, Verifiable and Coercion-Resistant 12 Orange Labs

More about our Ballot  Credential: (𝑡, 𝑣, 𝑣 ′ ) where 𝑣 ′ = 𝑣 𝑦 0 +𝑡𝑦 1  Ballot: 𝐹 𝑈 𝑤 , 𝑥, 𝑥 ′ , 𝐹 𝑈 𝑥 𝑡 , 𝑝 𝑡 , 𝑄 𝑥, 𝑥 ′ is a randomized credential s.t. 𝑥 = 𝑣 𝑚 and 𝑥 ′ = 𝑣 ′ 𝑚 – – 𝑄 is a pair of NIZKPs of validity: – 𝐹 𝑈 𝑤 is an encryption of a valid vote – the voter knows: – the plaintext of 𝐹 𝑈 𝑥 𝑡 – the secret 𝑡 , common both to 𝐹 𝑈 𝑥 𝑡 and 𝑝 𝑡 Remote e-voting: Efficient, Verifiable and Coercion-Resistant 13 Orange Labs

1. Setup Voting (first election) 2. Registration 3. Voting 4. Tallying  Vote under coercion: Bull lletin tin Board … 𝐹 𝑈 𝑏 , 𝑥, 𝑥 ′ , 𝐹 𝑈 𝑥 𝑡′ , 𝑝 𝑡′ , 𝑄 𝐹 𝑈 𝑏 , 𝑥, 𝑥 ′ , 𝐹 𝑈 𝑥 𝑡′ , 𝑝 𝑡′ , 𝑄 … …  Revote: … … 𝐹 𝑈 𝑐 , 𝑥, 𝑥 ′ , 𝐹 𝑈 𝑥 𝑡 , 𝑝 𝑡 , 𝑄 𝐹 𝑈 𝑐 , 𝑥, 𝑥 ′ , 𝐹 𝑈 𝑥 𝑡 , 𝑝 𝑡 , 𝑄 … … Remote e-voting: Efficient, Verifiable and Coercion-Resistant 14 Orange Labs

1. Setup Tallying Phase [1/5] 2. Registration 3. Voting 4. Tallying 1. Discard ballots with invalid proofs Bull lletin tin Board d (offli fline) e) 𝑠 , 𝑝 𝑠 , 𝑄 ′ , 𝐹 𝑈 𝑥 1 𝐹 𝑈 𝑐 , 𝑥 1 , 𝑥 1 𝑡 , 𝑝 𝑡 , 𝑄 ′ , 𝐹 𝑈 𝑥 2 𝐹 𝑈 𝑐 , 𝑥 2 , 𝑥 2 ′ , 𝐹 𝑈 𝑥 3 𝑢 , 𝑝 𝑢 , 𝑄 𝐹 𝑈 𝑏 , 𝑥 3 , 𝑥 3 𝑡′ , 𝑝 𝑡′ , 𝑄 ′ , 𝐹 𝑈 𝑥 4 𝐹 𝑈 𝑐 , 𝑥 4 , 𝑥 4 𝑠 , 𝑝 𝑠′ , 𝑄 ′ , 𝐹 𝑈 𝑨 1 𝐹 𝑈 𝑏 , 𝑨 1 , 𝑨 1 𝑡 , 𝑝 𝑡 , 𝑄 𝐹 𝑈 𝑏 , 𝑨 2 , 𝑨 2 ′, 𝐹 𝑈 𝑨 2 Remote e-voting: Efficient, Verifiable and Coercion-Resistant 15 Orange Labs

1. Setup Tallying Phase [2/5] 2. Registration 3. Voting 4. Tallying 2. Remove duplicates votes ⇒ ballots published using the same secret 𝑡 Bull lletin tin Board d (offli fline) e) 𝑠 , 𝑝 𝑠 ′ , 𝐹 𝑈 𝑥 1 𝐹 𝑈 𝑐 , 𝑥 1 , 𝑥 1 𝑡 , 𝑝 𝑡 ′ , 𝐹 𝑈 𝑥 2 𝐹 𝑈 𝑐 , 𝑥 2 , 𝑥 2 ′ , 𝐹 𝑈 𝑥 3 𝑢 , 𝑝 𝑢 𝐹 𝑈 𝑏 , 𝑥 3 , 𝑥 3 𝑡′ , 𝑝 𝑡′ ′ , 𝐹 𝑈 𝑥 4 𝐹 𝑈 𝑐 , 𝑥 4 , 𝑥 4 𝑡 , 𝑝 𝑡 𝐹 𝑈 𝑏 , 𝑨 2 , 𝑨 2 ′, 𝐹 𝑈 𝑨 2 Possible policy: keep the last one Remote e-voting: Efficient, Verifiable and Coercion-Resistant 16 Orange Labs

1. Setup Tallying Phase [3/5] 2. Registration 3. Voting 4. Tallying 3. Reconstruction and checking of credentials 1. The authorities cooperatively compute 𝐹 𝑈 𝑥 , 𝐹 𝑈 𝑥 𝑦 0 , 𝐹 𝑈 𝑥 𝑡 , 𝐹 𝑈 𝑥 𝑡 𝑦 1 in Bull lletin tin Board d (offli fline) e) order to obtain: ′ , 𝐹 𝑈 𝑥 1 𝑠 𝐹 𝑈 𝑐 , 𝑥 1 , 𝑥 1 E T 𝑥 𝑦 0 × 𝐹 𝑈 𝑥 𝑡𝑦 1 = 𝐹 𝑈 𝑥 𝑦 0 +𝑡𝑦 1 ′ , 𝐹 𝑈 𝑥 3 𝑢 𝐹 𝑈 𝑏 , 𝑥 3 , 𝑥 3 2. Then, power 𝐷 = 𝐹 𝑈 𝑥 𝑦 0 +𝑡𝑦 1 /𝑥′ to a ′ , 𝐹 𝑈 𝑥 4 𝑡′ 𝐹 𝑈 𝑐 , 𝑥 4 , 𝑥 4 fresh random 𝛽 for the PET: 𝑡 𝐹 𝑈 𝑏 , 𝑨 2 , 𝑨 2 ′, 𝐹 𝑈 𝑨 2 𝐸 = 𝐷 𝛽 should be equal to 𝐹 𝑈 1 Remote e-voting: Efficient, Verifiable and Coercion-Resistant 17 Orange Labs