Remote Electronic Voting can be Efficient, Verifiable and - - PowerPoint PPT Presentation

Remote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant

Roberto Araújo, Amira Barki, Solenn Brunet and Jacques Traoré 1st Workshop on Advances in Secure Electronic Voting Schemes – VOTING’16 February 26th, 2016

2

Orange Labs

Content

1. Previous Work 2. Building Blocks 3. Our Electronic Voting Scheme 4. Conclusion

Remote e-voting: Efficient, Verifiable and Coercion-Resistant

3

Orange Labs

Previous Work

(Juel, Catalano and Jakobsson, WPES 2005)

• JCJ formally defined the property of coerc

ercion ion-resist esistance ance, by considering possible attacks:

– constrain a voter to cast given or random votes – force her to reveal her private data – vote on her behalf – force her to abstain

• Main idea: a coercer must be unable to distinguish a fake credential

from a valid one. ⇒ for 𝑂 ballots, the tallying complexity is in 𝒫 𝑂2

Remote e-voting: Efficient, Verifiable and Coercion-Resistant

4

Orange Labs

Motivations

Remote e-voting: Efficient, Verifiable and Coercion-Resistant

Linear complexity Multiple elections Practical for real polls Completely anonymous AFT07 AT13 CH11 SKHS11

5

Orange Labs

Building Blocks

• Designated Verifier Proof (DVP) which cannot be transferred:

Only the designated verifier can be convinced by this proof

• Non-Interactive Zero-Knowledge Proof of Knowledge (NIZKP):

Enable a prover to convince a verifier that he knows some secret

• ElGamal Cryptosystem
• Algebraic MAC Scheme
• Sequential Aggregate MAC Scheme

Remote e-voting: Efficient, Verifiable and Coercion-Resistant

6

Orange Labs

ElGamal Cryptosystem

• Given 𝔿 = 𝑕 cyclic group of prime order 𝑞

– private key 𝑦, public key 𝑞𝑙 = 𝑕𝑦 – encryption of 𝑛: 𝐹𝑞𝑙 𝑛 = 𝑕𝑠, 𝑛ℎ𝑠 – decryption of 𝐹𝑞𝑙 𝑛 : 𝑛ℎ𝑠 𝑕𝑠 −𝑦

• Properties:

– multiplicatively homomorphic: 𝐹𝑞𝑙 𝑛1 × 𝐹𝑞𝑙 𝑛2 = 𝐹𝑞𝑙[𝑛1 × 𝑛2] – distribution of the private key (i.e. the decryption) – comparison of two ciphertexts via Plaintext Equivalence Test (PET): 𝑄𝐹𝑈 𝐹𝑞𝑙 𝑛1 , 𝐹𝑞𝑙 𝑛2 = 1 if 𝑛1 = 𝑛2 and 0 otherwise – easy re-encryption: 𝐹𝑞𝑙 𝑛 = (𝑕𝑠, 𝑛ℎ𝑠) can be transformed in 𝐹𝑞𝑙 𝑛 ′ = (𝑕𝑠+𝑠′, 𝑛ℎ𝑠+𝑠′)

Remote e-voting: Efficient, Verifiable and Coercion-Resistant

7

Orange Labs

Algebraic MAC Scheme

(Chase, Meiklejohn, Zaverucha, ACM CCS2014)

• Setup 1𝑙 : Generate 𝑞𝑞 = (𝔿, 𝑞, 𝑕, ℎ) such that

– 𝔿 cylic group of prime order 𝑞, where DDH is hard – 𝑕, ℎ two of its generators

• KeyGen(𝑞𝑞):

– secret key 𝑡𝑙 = 𝑦0, 𝑦1, 𝑦2 – optionally, the public parameters (𝐷𝑦0 = 𝑕𝑦0ℎ𝑦, 𝑌1 = ℎ𝑦1, 𝑌2 = ℎ𝑦2)

• MAC(𝑡𝑙, 𝑛1, 𝑛2):

– choose 𝑣 randomly – generate 𝜏 = (𝑣, 𝑣′) where 𝑣′ = 𝑣𝑦0+𝑛1𝑦1+𝑛2𝑦2

• Verify(𝑡𝑙, 𝑛1, 𝑛2, 𝜏): 𝑣 ≠ 1 and 𝑣𝑦0+𝑛1𝑦1+𝑛2𝑦2 =

? 𝑣′

Remote e-voting: Efficient, Verifiable and Coercion-Resistant

Deciding whether 𝑛, 𝑣, 𝑣′ = 𝑣𝑦0+𝑛𝑦1 is a valid MAC on 𝑛 is equivalent to the DDH problem.

8

Orange Labs

Our Sequential Aggregate MAC Scheme

• Setup: 𝑞𝑞 = (𝔿, 𝑞, 𝑕, ℎ)

– 𝑡𝑙1 = 𝑦0, 𝑦1 , secret key of the first signer 𝒯1 – 𝑡𝑙2 = 𝑦2, secret key of the second signer 𝒯2 – 𝐷𝑦0 = 𝑕𝑦0ℎ𝑦, 𝑌1 = ℎ𝑦1, 𝑌2 = ℎ𝑦2, associated public parameters

• Computation of MAC on 𝑛1 by 𝒯1 and 𝑛2 by 𝒯2:
• Verification: w ≠ 1 and 𝑥′ =

? 𝑥𝑦0+𝑛1𝑦1+𝑛2𝑦2

Remote e-voting: Efficient, Verifiable and Coercion-Resistant

𝒯1 𝑣, 𝑣′ = 𝑣𝑦0+𝑛1𝑦1 , 𝑛1 𝒯2 𝑥 = 𝑣𝑢, 𝑥′ = 𝑣′𝑣𝑛2𝑦2 𝑢 , 𝑛1, 𝑛2

receiver

existentially unforgeable

9

Orange Labs

Our eVote Scheme

Receive credential in order to cast a vote Issue credentials in a distributed manner during the registration step Force voters to make a particular vote and try to verify it Jointly manage the tallying phase

Remote e-voting: Efficient, Verifiable and Coercion-Resistant

• 1. Setup
• 2. Registration
• 3. Voting
• 4. Tallying

voter ers coer

• ercer

ers registr egistrat ation ion auth thor

• rit

itie ies tall llyin ying auth thor

• rit

ities es

10

Orange Labs

Security Model

• Registration occurs through an untappable channel

⇒ no adversaries at this step

• Votes may be posted anonymously
• Bulletin Board is universally accessible
• Attacker may:

– access to all public information – corrupt a subpart of the election authorities – coerce voters: requests secrets, forces a particular vote…

Remote e-voting: Efficient, Verifiable and Coercion-Resistant

Voters trust their voting client.

11

Orange Labs

Set-Up

• Set-Up:

– 𝑕, ℎ, 𝑝 generators of a cyclic group 𝔿 of prime order 𝑞 – registrars ℛ: share 𝑡𝑙 = (𝑦0, 𝑦1), 𝑞𝑙 = (𝐷𝑦0 = 𝑕𝑦0ℎ𝑦, 𝑌1 = ℎ𝑦1) – talliers 𝒰: share 𝑡𝑙 and an ElGamal keypair 𝑈, 𝑈

• Registration:

– credential 𝑡, 𝑣, 𝑣′ : – 𝑡 and 𝑣 chosen randomly by ℛ – 𝑣′ = 𝑣𝑦0+𝑡𝑦1 computed by ℛ – in case of coercion, fake credential: 𝑡′, 𝑣, 𝑣′ (DDH assumption)

Remote e-voting: Efficient, Verifiable and Coercion-Resistant

• 1. Setup
• 2. Registration
• 3. Voting
• 4. Tallying

12

Orange Labs

• 1. Setup
• 2. Registration
• 3. Voting
• 4. Tallying

Registration

Remote e-voting: Efficient, Verifiable and Coercion-Resistant

𝑡, 𝑣, 𝑣′ , DVP (𝑡′, 𝑣, 𝑣′)

• ℛ jointly compute (𝑣, 𝑣′ = 𝑣𝑦0+𝑡𝑦1) with 𝑡, 𝑣 cooperatively selected

and prove its validity through a DVP:

• If a coercer asks to her credential, she can send a fake one:

The DVP can only convince the designated voter!

13

Orange Labs

More about our Ballot

• Credential: (𝑡, 𝑣, 𝑣′) where 𝑣′ = 𝑣𝑦0+𝑡𝑦1
• Ballot: 𝐹𝑈 𝑤 , 𝑥, 𝑥′, 𝐹𝑈 𝑥𝑡 , 𝑝𝑡, 𝑄

– 𝑥, 𝑥′ is a randomized credential s.t. 𝑥 = 𝑣𝑚 and 𝑥′ = 𝑣′ 𝑚 – 𝑄 is a pair of NIZKPs of validity: – 𝐹𝑈 𝑤 is an encryption of a valid vote – the voter knows: – the plaintext of 𝐹𝑈 𝑥𝑡 – the secret 𝑡, common both to 𝐹𝑈 𝑥𝑡 and 𝑝𝑡

Remote e-voting: Efficient, Verifiable and Coercion-Resistant

14

Orange Labs

Voting (first election)

• Vote under coercion:
• Revote:

Remote e-voting: Efficient, Verifiable and Coercion-Resistant

• 1. Setup
• 2. Registration
• 3. Voting
• 4. Tallying

𝐹𝑈 𝑏 , 𝑥, 𝑥′, 𝐹𝑈 𝑥𝑡′ , 𝑝𝑡′, 𝑄 𝐹𝑈 𝑐 , 𝑥, 𝑥′, 𝐹𝑈 𝑥𝑡 , 𝑝𝑡, 𝑄

Bull lletin tin Board … 𝐹𝑈 𝑏 , 𝑥, 𝑥′, 𝐹𝑈 𝑥𝑡′ , 𝑝𝑡′, 𝑄 … … … … 𝐹𝑈 𝑐 , 𝑥, 𝑥′, 𝐹𝑈 𝑥𝑡 , 𝑝𝑡, 𝑄 … …

15

Orange Labs

Tallying Phase [1/5]

1. Discard ballots with invalid proofs

Remote e-voting: Efficient, Verifiable and Coercion-Resistant

Bull lletin tin Board d (offli fline) e) 𝐹𝑈 𝑐 , 𝑥1, 𝑥1

′, 𝐹𝑈 𝑥1 𝑠 , 𝑝𝑠, 𝑄

𝐹𝑈 𝑐 , 𝑥2, 𝑥2

′, 𝐹𝑈 𝑥2 𝑡 , 𝑝𝑡, 𝑄

𝐹𝑈 𝑏 , 𝑥3, 𝑥3

′, 𝐹𝑈 𝑥3 𝑢 , 𝑝𝑢 , 𝑄

𝐹𝑈 𝑐 , 𝑥4, 𝑥4

′, 𝐹𝑈 𝑥4 𝑡′ , 𝑝𝑡′, 𝑄

𝐹𝑈 𝑏 , 𝑨1, 𝑨1

′, 𝐹𝑈 𝑨1 𝑠 , 𝑝𝑠′, 𝑄

𝐹𝑈 𝑏 , 𝑨2, 𝑨2′, 𝐹𝑈 𝑨2

𝑡 , 𝑝𝑡, 𝑄

• 1. Setup
• 2. Registration
• 3. Voting
• 4. Tallying

16

Orange Labs

Tallying Phase [2/5]

2. Remove duplicates votes ⇒ ballots published using the same secret 𝑡

Remote e-voting: Efficient, Verifiable and Coercion-Resistant

Bull lletin tin Board d (offli fline) e) 𝐹𝑈 𝑐 , 𝑥1, 𝑥1

′, 𝐹𝑈 𝑥1 𝑠 , 𝑝𝑠

𝐹𝑈 𝑐 , 𝑥2, 𝑥2

′, 𝐹𝑈 𝑥2 𝑡 , 𝑝𝑡

𝐹𝑈 𝑏 , 𝑥3, 𝑥3

′, 𝐹𝑈 𝑥3 𝑢 , 𝑝𝑢

𝐹𝑈 𝑐 , 𝑥4, 𝑥4

′, 𝐹𝑈 𝑥4 𝑡′ , 𝑝𝑡′

𝐹𝑈 𝑏 , 𝑨2, 𝑨2′, 𝐹𝑈 𝑨2

𝑡 , 𝑝𝑡

Possible policy: keep the last one

• 1. Setup
• 2. Registration
• 3. Voting
• 4. Tallying

17

Orange Labs

Tallying Phase [3/5]

3. Reconstruction and checking of credentials

Remote e-voting: Efficient, Verifiable and Coercion-Resistant

Bull lletin tin Board d (offli fline) e) 𝐹𝑈 𝑐 , 𝑥1, 𝑥1

′, 𝐹𝑈 𝑥1 𝑠

𝐹𝑈 𝑏 , 𝑥3, 𝑥3

′, 𝐹𝑈 𝑥3 𝑢

𝐹𝑈 𝑐 , 𝑥4, 𝑥4

′, 𝐹𝑈 𝑥4 𝑡′

𝐹𝑈 𝑏 , 𝑨2, 𝑨2′, 𝐹𝑈 𝑨2

𝑡

• 1. Setup
• 2. Registration
• 3. Voting
• 4. Tallying
• 1. The authorities cooperatively compute

𝐹𝑈 𝑥 , 𝐹𝑈 𝑥𝑦0 , 𝐹𝑈 𝑥𝑡 , 𝐹𝑈 𝑥𝑡 𝑦1 in

• rder to obtain:

ET 𝑥𝑦0 × 𝐹𝑈 𝑥𝑡𝑦1 = 𝐹𝑈 𝑥𝑦0+𝑡𝑦1

• 2. Then, power 𝐷 = 𝐹𝑈 𝑥𝑦0+𝑡𝑦1 /𝑥′ to a

fresh random 𝛽 for the PET: 𝐸 = 𝐷𝛽 should be equal to 𝐹𝑈 1

18

Orange Labs

Tallying Phase [4/5]

4. Mix the ballots

Remote e-voting: Efficient, Verifiable and Coercion-Resistant

Bull lletin tin Board d (offli fline) e) 𝐹𝑈 𝑐 , 𝐸1 𝐹𝑈 𝑏 , 𝐸2 𝐹𝑈 𝑐 , 𝐸3 𝐹𝑈 𝑏 , 𝐸4

• 1. Setup
• 2. Registration
• 3. Voting
• 4. Tallying

Bull lletin tin Board 𝐹𝑈′ 𝑏 , 𝐸2′ 𝐹𝑈′ 𝑏 , 𝐸4′ 𝐹𝑈′ 𝑐 , 𝐸3′ 𝐹𝑈′ 𝑐 , 𝐸1′

Mix Net

Published on the WBB

Re-encrypt and permute each row

19

Orange Labs

Tallying Phase [5/5]

5. Identify valid votes by jointly decrypting 𝐸𝑗:

– If the plaintext is equal to 1, the ballot is valid and thus decrypted

Remote e-voting: Efficient, Verifiable and Coercion-Resistant

Bull lletin tin Board (offli fline) e) 𝐹𝑈′ 𝑏 , 𝐸2′ 𝐹𝑈′ 𝑏 , 𝐸4′ 𝐹𝑈′ 𝑐 , 𝐸3′ 𝐹𝑈′ 𝑐 , 𝐸1′

• 1. Setup
• 2. Registration
• 3. Voting
• 4. Tallying

Resul sults 𝑏 𝑏 𝑐 Distributed decryption

20

Orange Labs

Multiple Elections and Credentials Revocation

• For a second election, registrars ℛ:

– jointly generate an election identifier 𝑓𝐽 – compute a new pair of keys (𝑦2, 𝑌2 = ℎ𝑦2), shared with the talliers 𝒰 – publish an updated credential 𝑥, 𝑥′ for each eligible voter: (𝑣, 𝑣′ = 𝑣𝑦0+𝑡𝑦1) associated to the secret 𝑡 becomes 𝑣𝑢, 𝑣′𝑣𝑓𝐽𝑦2 𝑢 = (𝑥, 𝑥′ = 𝑥𝑦0+𝑡𝑦1+𝑓𝐽𝑦2)

⇒ voting and tallying phases are unchanged

Remote e-voting: Efficient, Verifiable and Coercion-Resistant

21

Orange Labs

Security

• A voter cannot prove her vote:

false and real credentials are indistinguishable

• No forced abstention:

votes cast using anonymous channel

• No forced randomization and impersonation:

voter can use fake credential for false vote and cast another one later

• Resistance to shoulder-surfing:

Re-vote policy: only the last might count

Remote e-voting: Efficient, Verifiable and Coercion-Resistant

Our voting scheme satisfies:

• eligibility requirement through security properties of the MAC,
• coercion-resistance property under DDH assumption.

22

Orange Labs

Conclusion

• a Sequential Aggregate MAC Scheme existentially unforgeable
• Our new voting scheme for remote elections is:

– publicly verifiable – efficient (linear time complexity) – coercion-resistant – allowing multiple elections and credentials revocation

Remote e-voting: Efficient, Verifiable and Coercion-Resistant

Thank you