Code Verification E-Voting
Anthi Orfanou
UoA
March 23, 2012
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 1 / 21
E-Voting
2 types of E-VotingI Kiosk VotingI Internet Voting
Internet Voting - 3 phasesI Registration/Key GenerationI Elections
F Voter: Casts a voteF Personal Computers: Vote Encryption, Vote Submission,F Vote Collectors: Vote Storing, Forward to Tallier
I TallyingF Tallier: Vote Decryption, Counting
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 2 / 21
E-Voting Protocol Properties
Correctness
Robustness
Privacy
Integrity
Coercion Resistance
Verifiability
Usability
In practice many of them conflict!
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 3 / 21
Code Verification Protocols
Provide security codes as a receipt for voting
Guarantee vote integrity
Additional entities:I Security Code GeneratorsI MessengersI Out-of-band communication channels
PThe Norwegian E-Voting System
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 4 / 21
The Norwegian E-Voting System
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 5 / 21
The Norwegian E-Voting System
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 5 / 21
The Norwegian E-Voting System
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 5 / 21
The Norwegian E-Voting System
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 5 / 21
The Norwegian E-Voting System
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 5 / 21
The Norwegian E-Voting System
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 5 / 21
The Norwegian E-Voting System
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 5 / 21
The Norwegian E-Voting System
R:Coaltion of malicious PC and messenger can submit forged ballots!
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 5 / 21
The Norwegian E-Voting System
2 main approaches to generate and transfer the security codes
The Proxy Oblivious Transfer [Heiberg, Lipmaa, Van Laenen 2010 [1]]
I Random security codesI Easy setup phaseI Linear communication complexity in the number of Candidates
The Pseudo-random Composition [Gjøsteen 2010-11 [2],[3]]I Pseudo-random security codesI More complex setup phaseI Communication complexity independent of the number of Candidates
Both share similar security issues!
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 6 / 21
Proxy Oblivious Transfer
3 entities involved:
Chooser: chooses an index x
Sender: Stores a database f = (f0, f1, ..., fn−1)
Proxy: Retrieves a single item fx without knowing xI Strong POT: the proxy retrieves the correct time by performing certain
computationsI Weak POT: the proxy stores additional supporting data that do no leak
information
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 7 / 21
The Proxy Oblivious Transfer E-Voting [HLV’10]
ElGamal PKC 〈G , q, g〉, N candidates, (pkm, skm) messenger’s keys, (pkt, skt) tallier’s keys, H random oracle
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 8 / 21
The Proxy Oblivious Transfer E-Voting [HLV’10]
ElGamal PKC 〈G , q, g〉, N candidates, (pkm, skm) messenger’s keys, (pkt, skt) tallier’s keys, H random oracle
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 8 / 21
The Proxy Oblivious Transfer E-Voting [HLV’10]
ElGamal PKC 〈G , q, g〉, N candidates, (pkm, skm) messenger’s keys, (pkt, skt) tallier’s keys, H random oracle
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 8 / 21
The Proxy Oblivious Transfer E-Voting [HLV’10]
ElGamal PKC 〈G , q, g〉, N candidates, (pkm, skm) messenger’s keys, (pkt, skt) tallier’s keys, H random oracle
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 8 / 21
The Proxy Oblivious Transfer E-Voting [HLV’10]
ElGamal PKC 〈G , q, g〉, N candidates, (pkm, skm) messenger’s keys, (pkt, skt) tallier’s keys, H random oracle
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 8 / 21
The Proxy Oblivious Transfer E-Voting [HLV’10]
ElGamal PKC 〈G , q, g〉, N candidates, (pkm, skm) messenger’s keys, (pkt, skt) tallier’s keys, H random oracle
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 8 / 21
The Proxy Oblivious Transfer E-Voting [HLV’10]
ElGamal PKC 〈G , q, g〉, N candidates, (pkm, skm) messenger’s keys, (pkt, skt) tallier’s keys, H random oracle
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 8 / 21
The Proxy Oblivious Transfer E-Voting [HLV’10]
ElGamal PKC 〈G , q, g〉, N candidates, (pkm, skm) messenger’s keys, (pkt, skt) tallier’s keys, H random oracle
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 8 / 21
The Proxy Oblivious Transfer E-Voting [HLV’10]
ElGamal PKC 〈G , q, g〉, N candidates, (pkm, skm) messenger’s keys, (pkt, skt) tallier’s keys, H random oracle
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 8 / 21
The Proxy Oblivious Transfer E-Voting [HLV’10]
ElGamal PKC 〈G , q, g〉, N candidates, (pkm, skm) messenger’s keys, (pkt, skt) tallier’s keys, H random oracle
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 8 / 21
The Proxy Oblivious Transfer Security
Malicious PC: Sees the vote (no privacy), cannot alter it withoutbeing detected (integrity)
Malicious VC: Sees encryptions (privacy), cannot change signed votes(integrity)
Malicious Messenger: Gets no information about the indexes (privacy)
RWeakness: Collaboration among Vote Collector and Messenger breaksthe protocol’s privacy!
Compare the value a = g fx of the messenger with the database of VCi ↔ fi
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 9 / 21
The Pseudo-random Superposition Code Verification
Security Codes are constructed through 3 different pseudo-randomfunctionsFor each voter V let:
f be a global encoding function f : Candidates → GsV be a secret exponent
hV be a pseudo-random function, selected from prf family FCodeV [cnd ] = hV ((f (cnd))
sV )
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 10 / 21
Code Generation
ElGamal PKC 〈G , q, g〉, f encoding function, F prf function family
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 11 / 21
Sharing the Keys
Key Generation:
Values a1, a2, a3 ∈ Zq are selected such that a1 = a2 + a3 mod qLet skt=a1, skv=a2, skm=a3 be the secret keys and pkt=g
a1 ,pkv=ga2 , pkm=ga3 be the public keys
pkt = ga1 = ga2ga3 = pkm · pkvR+ No need to encrypt the submitted votes with different keysR− A Coalition of the VC and the Messenger can reconstruct thedecryption key
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 12 / 21
The Pseudo-random E-Voting [Gjò ’10-’11]
ElGamal PKC 〈G , q, g〉, f encoding function, a1 = a2 + a3 mod q, hV prf function, sV secret exponent
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 13 / 21
The Pseudo-random E-Voting [Gjò ’10-’11]
ElGamal PKC 〈G , q, g〉, f encoding function, a1 = a2 + a3 mod q, hV prf function, sV secret exponent
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 13 / 21
The Pseudo-random E-Voting [Gjò ’10-’11]
ElGamal PKC 〈G , q, g〉, f encoding function, a1 = a2 + a3 mod q, hV prf function, sV secret exponent
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 13 / 21
The Pseudo-random E-Voting [Gjò ’10-’11]
ElGamal PKC 〈G , q, g〉, f encoding function, a1 = a2 + a3 mod q, hV prf function, sV secret exponent
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 13 / 21
The Pseudo-random E-Voting [Gjò ’10-’11]
ElGamal PKC 〈G , q, g〉, f encoding function, a1 = a2 + a3 mod q, hV prf function, sV secret exponent
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 13 / 21
The Pseudo-random E-Voting [Gjò ’10-’11]
ElGamal PKC 〈G , q, g〉, f encoding function, a1 = a2 + a3 mod q, hV prf function, sV secret exponent
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 13 / 21
The Pseudo-random E-Voting [Gjò ’10-’11]
ElGamal PKC 〈G , q, g〉, f encoding function, a1 = a2 + a3 mod q, hV prf function, sV secret exponent
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 13 / 21
The Pseudo-random E-Voting [Gjò ’10-’11]
ElGamal PKC 〈G , q, g〉, f encoding function, a1 = a2 + a3 mod q, hV prf function, sV secret exponent
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 13 / 21
The Pseudo-random Superposition Security
RSame guarantees with the POT approach, for each individual entity
RCollaboration among Vote Collector and Messenger breaks theprotocol’s privacy!
Shared key reconstruction
Separate the keys? Given sV the Messenger can break privacy bycomparisons: ∀c∗ f sV (c∗)
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 14 / 21
The ballot format
A ballot has multiple options: kmax out of n candidates (x1, ..., xkmax )(possibly padded)
Order not important, no write-in option
Encrypted ballot: tuple of multiple ElGamal cipher-texts of fixed sizec = (Enc(f (x1)),Enc(f (x2)), ...,Enc(f (xkmax ))
Code verification: Different security code for each cipher-text
Decryption: Depends on the encoding function used
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 15 / 21
Choosing the encoding function
How to choose f ?
Random injection f : Candidates → GDecryption: Each option separately
Special Structure f : Candidates → SpecialSetDecryption: compress and recover cipher-texts efficiently!
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 16 / 21
A new approach
p, q primes, p = 2q + 1 and G be the cyclic group of quadraticresidues of FpL the set of the smallest primes {l1, l2, ..., lL}, li ∈ GFactoring of products of small primes can be solved efficiently
Definition
Prime DDH Given (l1, ..., lL) ∈ Gn decide if (x1, ..., xL) ∈ Gn was sampleduniformly from the powers {l s1 , ..., l sL} or uniformly from GL.
RUnknown hardness! Only weaker, special cases have been provedequivalent to the DDH problem
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 17 / 21
A new approach
f : random injection Candidates → LVote Collector
I Input c = (Encpkt(f (x1)), ...,Encpkt(f (xkmax ))I Compression: c̃ =
∏kmaxi=1 Encpkt(f (xi ))
TallierI Decrypts c̃ :
∏kmaxi=1 f (xi ) = l1...lkmax
I Recovers the votes l1, ..., lkmax
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 18 / 21
Open Problems
RPreserve privacy against Vote Collector and Messenger Coalitions
RPreserve integrity against PC and Messenger Coalitions
RStudy further the conjectured hardness of the Prime DDH problem
RImprove the current protocol’s performance (encryption, ZKPs)
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 19 / 21
References
“On E-Vote Integrity in the Case of Malicious Voter Computers”,Sven Heiberg, Helger Lipmaa and Filip van Laenen. In Proceedings of15th European Symposium on Research in Computer SecurityESORICS ’10, Springer, 2010.
“Analysis of an Internet Voting Protocol”, Kristian Gjøsteen.Technical Report 2010/380, International Association for CryptologicResearch, July 5, 2010.
“The Norwegian Internet Voting Protocol”, Kristian Gjøsteen.Proceedings of the Third International Conference on E-voting andIdentity VoteID, Springer, 2011.
“Two Simple Code-Verification Voting Protocols”, Helger Lipmaa.IACR Cryptology ePrint Archive 2011: 317, 2011.
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 20 / 21
The End...
Anthi Orfanou (UoA) Code Verification E-Voting March 23, 2012 21 / 21
Introduction: E-VotingThe Norwegian E-Voting SystemProxy Oblivious TransferPseudo-random Superposition
Encoding Options