Code Verification E-Voting

Anthi Orfanou

UoA

March 23, 2012

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 1 / 21

E-Voting

2 types of E-VotingI Kiosk VotingI Internet Voting

Internet Voting - 3 phasesI Registration/Key GenerationI Elections

F Voter: Casts a voteF Personal Computers: Vote Encryption, Vote Submission,F Vote Collectors: Vote Storing, Forward to Tallier

I TallyingF Tallier: Vote Decryption, Counting

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 2 / 21

E-Voting Protocol Properties

Correctness

Robustness

Privacy

Integrity

Coercion Resistance

Verifiability

Usability

In practice many of them conflict!

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 3 / 21

Code Verification Protocols

Provide security codes as a receipt for voting

Guarantee vote integrity

Additional entities:I Security Code GeneratorsI MessengersI Out-of-band communication channels

PThe Norwegian E-Voting System

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 4 / 21

The Norwegian E-Voting System

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 5 / 21

The Norwegian E-Voting System

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 5 / 21

The Norwegian E-Voting System

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 5 / 21

The Norwegian E-Voting System

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 5 / 21

The Norwegian E-Voting System

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 5 / 21

The Norwegian E-Voting System

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 5 / 21

The Norwegian E-Voting System

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 5 / 21

The Norwegian E-Voting System

R:Coaltion of malicious PC and messenger can submit forged ballots!

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 5 / 21

The Norwegian E-Voting System

2 main approaches to generate and transfer the security codes

The Proxy Oblivious Transfer [Heiberg, Lipmaa, Van Laenen 2010 [1]]

I Random security codesI Easy setup phaseI Linear communication complexity in the number of Candidates

The Pseudo-random Composition [Gjøsteen 2010-11 [2],[3]]I Pseudo-random security codesI More complex setup phaseI Communication complexity independent of the number of Candidates

Both share similar security issues!

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 6 / 21

Proxy Oblivious Transfer

3 entities involved:

Chooser: chooses an index x

Sender: Stores a database f = (f0, f1, ..., fn−1)

Proxy: Retrieves a single item fx without knowing xI Strong POT: the proxy retrieves the correct time by performing certain

computationsI Weak POT: the proxy stores additional supporting data that do no leak

information

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 7 / 21

The Proxy Oblivious Transfer E-Voting [HLV’10]

ElGamal PKC 〈G , q, g〉, N candidates, (pkm, skm) messenger’s keys, (pkt, skt) tallier’s keys, H random oracle

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 8 / 21

The Proxy Oblivious Transfer E-Voting [HLV’10]

ElGamal PKC 〈G , q, g〉, N candidates, (pkm, skm) messenger’s keys, (pkt, skt) tallier’s keys, H random oracle

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 8 / 21

The Proxy Oblivious Transfer E-Voting [HLV’10]

ElGamal PKC 〈G , q, g〉, N candidates, (pkm, skm) messenger’s keys, (pkt, skt) tallier’s keys, H random oracle

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 8 / 21

The Proxy Oblivious Transfer E-Voting [HLV’10]

ElGamal PKC 〈G , q, g〉, N candidates, (pkm, skm) messenger’s keys, (pkt, skt) tallier’s keys, H random oracle

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 8 / 21

The Proxy Oblivious Transfer E-Voting [HLV’10]

ElGamal PKC 〈G , q, g〉, N candidates, (pkm, skm) messenger’s keys, (pkt, skt) tallier’s keys, H random oracle

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 8 / 21

The Proxy Oblivious Transfer E-Voting [HLV’10]

ElGamal PKC 〈G , q, g〉, N candidates, (pkm, skm) messenger’s keys, (pkt, skt) tallier’s keys, H random oracle

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 8 / 21

The Proxy Oblivious Transfer E-Voting [HLV’10]

ElGamal PKC 〈G , q, g〉, N candidates, (pkm, skm) messenger’s keys, (pkt, skt) tallier’s keys, H random oracle

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 8 / 21

The Proxy Oblivious Transfer E-Voting [HLV’10]

ElGamal PKC 〈G , q, g〉, N candidates, (pkm, skm) messenger’s keys, (pkt, skt) tallier’s keys, H random oracle

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 8 / 21

The Proxy Oblivious Transfer E-Voting [HLV’10]

ElGamal PKC 〈G , q, g〉, N candidates, (pkm, skm) messenger’s keys, (pkt, skt) tallier’s keys, H random oracle

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 8 / 21

The Proxy Oblivious Transfer E-Voting [HLV’10]

ElGamal PKC 〈G , q, g〉, N candidates, (pkm, skm) messenger’s keys, (pkt, skt) tallier’s keys, H random oracle

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 8 / 21

The Proxy Oblivious Transfer Security

Malicious PC: Sees the vote (no privacy), cannot alter it withoutbeing detected (integrity)

Malicious VC: Sees encryptions (privacy), cannot change signed votes(integrity)

Malicious Messenger: Gets no information about the indexes (privacy)

RWeakness: Collaboration among Vote Collector and Messenger breaksthe protocol’s privacy!

Compare the value a = g fx of the messenger with the database of VCi ↔ fi

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 9 / 21

The Pseudo-random Superposition Code Verification

Security Codes are constructed through 3 different pseudo-randomfunctionsFor each voter V let:

f be a global encoding function f : Candidates → GsV be a secret exponent

hV be a pseudo-random function, selected from prf family FCodeV [cnd ] = hV ((f (cnd))

sV )

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 10 / 21

Code Generation

ElGamal PKC 〈G , q, g〉, f encoding function, F prf function family

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 11 / 21

Sharing the Keys

Key Generation:

Values a1, a2, a3 ∈ Zq are selected such that a1 = a2 + a3 mod qLet skt=a1, skv=a2, skm=a3 be the secret keys and pkt=g

a1 ,pkv=ga2 , pkm=ga3 be the public keys

pkt = ga1 = ga2ga3 = pkm · pkvR+ No need to encrypt the submitted votes with different keysR− A Coalition of the VC and the Messenger can reconstruct thedecryption key

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 12 / 21

The Pseudo-random E-Voting [Gjò ’10-’11]

ElGamal PKC 〈G , q, g〉, f encoding function, a1 = a2 + a3 mod q, hV prf function, sV secret exponent

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 13 / 21

The Pseudo-random E-Voting [Gjò ’10-’11]

ElGamal PKC 〈G , q, g〉, f encoding function, a1 = a2 + a3 mod q, hV prf function, sV secret exponent

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 13 / 21

The Pseudo-random E-Voting [Gjò ’10-’11]

ElGamal PKC 〈G , q, g〉, f encoding function, a1 = a2 + a3 mod q, hV prf function, sV secret exponent

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 13 / 21

The Pseudo-random E-Voting [Gjò ’10-’11]

ElGamal PKC 〈G , q, g〉, f encoding function, a1 = a2 + a3 mod q, hV prf function, sV secret exponent

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 13 / 21

The Pseudo-random E-Voting [Gjò ’10-’11]

ElGamal PKC 〈G , q, g〉, f encoding function, a1 = a2 + a3 mod q, hV prf function, sV secret exponent

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 13 / 21

The Pseudo-random E-Voting [Gjò ’10-’11]

ElGamal PKC 〈G , q, g〉, f encoding function, a1 = a2 + a3 mod q, hV prf function, sV secret exponent

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 13 / 21

The Pseudo-random E-Voting [Gjò ’10-’11]

ElGamal PKC 〈G , q, g〉, f encoding function, a1 = a2 + a3 mod q, hV prf function, sV secret exponent

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 13 / 21

The Pseudo-random E-Voting [Gjò ’10-’11]

ElGamal PKC 〈G , q, g〉, f encoding function, a1 = a2 + a3 mod q, hV prf function, sV secret exponent

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 13 / 21

The Pseudo-random Superposition Security

RSame guarantees with the POT approach, for each individual entity

RCollaboration among Vote Collector and Messenger breaks theprotocol’s privacy!

Shared key reconstruction

Separate the keys? Given sV the Messenger can break privacy bycomparisons: ∀c∗ f sV (c∗)

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 14 / 21

The ballot format

A ballot has multiple options: kmax out of n candidates (x1, ..., xkmax )(possibly padded)

Order not important, no write-in option

Encrypted ballot: tuple of multiple ElGamal cipher-texts of fixed sizec = (Enc(f (x1)),Enc(f (x2)), ...,Enc(f (xkmax ))

Code verification: Different security code for each cipher-text

Decryption: Depends on the encoding function used

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 15 / 21

Choosing the encoding function

How to choose f ?

Random injection f : Candidates → GDecryption: Each option separately

Special Structure f : Candidates → SpecialSetDecryption: compress and recover cipher-texts efficiently!

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 16 / 21

A new approach

p, q primes, p = 2q + 1 and G be the cyclic group of quadraticresidues of FpL the set of the smallest primes {l1, l2, ..., lL}, li ∈ GFactoring of products of small primes can be solved efficiently

Definition

Prime DDH Given (l1, ..., lL) ∈ Gn decide if (x1, ..., xL) ∈ Gn was sampleduniformly from the powers {l s1 , ..., l sL} or uniformly from GL.

RUnknown hardness! Only weaker, special cases have been provedequivalent to the DDH problem

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 17 / 21

A new approach

f : random injection Candidates → LVote Collector

I Input c = (Encpkt(f (x1)), ...,Encpkt(f (xkmax ))I Compression: c̃ =

∏kmaxi=1 Encpkt(f (xi ))

TallierI Decrypts c̃ :

∏kmaxi=1 f (xi ) = l1...lkmax

I Recovers the votes l1, ..., lkmax

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 18 / 21

Open Problems

RPreserve privacy against Vote Collector and Messenger Coalitions

RPreserve integrity against PC and Messenger Coalitions

RStudy further the conjectured hardness of the Prime DDH problem

RImprove the current protocol’s performance (encryption, ZKPs)

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 19 / 21

References

“On E-Vote Integrity in the Case of Malicious Voter Computers”,Sven Heiberg, Helger Lipmaa and Filip van Laenen. In Proceedings of15th European Symposium on Research in Computer SecurityESORICS ’10, Springer, 2010.

“Analysis of an Internet Voting Protocol”, Kristian Gjøsteen.Technical Report 2010/380, International Association for CryptologicResearch, July 5, 2010.

“The Norwegian Internet Voting Protocol”, Kristian Gjøsteen.Proceedings of the Third International Conference on E-voting andIdentity VoteID, Springer, 2011.

“Two Simple Code-Verification Voting Protocols”, Helger Lipmaa.IACR Cryptology ePrint Archive 2011: 317, 2011.

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 20 / 21

The End...

Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 21 / 21

Introduction: E-VotingThe Norwegian E-Voting SystemProxy Oblivious TransferPseudo-random Superposition

Encoding Options