Receipt-free Voting

Joint work with Markus Jakobsson, C. Andy Neff

Ari JuelsRSA Laboratories

Cast of characters

Voting authority

Attacker

Voter (Alice, and Bob, Charlie...)

I LikeIke

Basic Internet voting

Eve

Charlie

Bob

Alice

Basic Internet voting

Digitally signed by

Eve

Digitally signed by

Charlie

Digitally signed by

Bob

Digitally signed by

Alice

A vote forAl B re

A vote forG.W. Gush

A vote forAl Bore

A vote forG.W. Gush

Final Tally:

Gush 2

Bore 1

BORE

Alice knows randomization, so ciphertext ballot is a proof or receipt

Alice

Knees

Receipt-freeness

Receipt-freeness property: Alice cannot open ballot or prove contents

Prevents simple blackmail References: BT94,SK95,HS00

What receipt-freeness doesn’t defend against

Vote buying– Sale of authentication key– Vote-buying schemes (e.g., vote-auction.com;

http://62.116.31.68/)

– Anonymous peer-to-peer networks Compromise of voting authority servers

– Limited defense in HS00

What receipt-freeness doesn’t defend against

Shoulder surfing Randomization attack

– Attacker pre-specifies form of Alice’s ciphertext, leading to random result

Forced-abstention attack Receipt-freeness won’t do for real

applications!

Receipt-free Voting

Joint work with Markus Jakobsson, C. Andy Neff

Ari JuelsRSA Laboratories

Coercion-free Voting

Joint work with Markus Jakobsson, C. Andy Neff

Ari JuelsRSA Laboratories

First key tool: Mix network

Randomly permutes and re-encrypts inputs

Mix network

What does a mix network do?

Key property: We can’t tell which output corresponds

to a given input

?

Example application: Anonymizing bulletin board or e-mail

From Bob

From CharlieFrom Alice

From Bob

From CharlieFrom Alice

“I love

Alice”

“Nobody loves Bob”

“Ilove

Charlie”

Is it Bob, Charlie,

self-love, or other?

Example application: Anonymizing bulletin board or e-mail

Another application: Voting

Digitally signed by

Eve

Digitally signed by

Charlie

Digitally signed by

Bob

Digitally signed by

Alice

A vote forAl B re

A vote forG.W. Gush

A vote forAl Bore

A vote forG.W. Gush

Final Tally:

Gush 2

Bore 1

A quick look under the hood

Mix Structure

Server 1 Server 2 Server 3

m1

m2

m3

re-encrypt

and

permute

re-encrypt

and

permute

re-encrypt

and

permute

m2

m3

m1

m1

m3

m2m2

m3

m1

Mix Structure

m2

m3

m1

•Threshold decryption•Blinding•Re-mixing

Properties

Privacy preserved, i.e., permutation hidden if at least one server is honest

Soundness achievable by having servers prove correct permutation

Mix network

Second key tool

Threshold one-way functions– Denoted by B() and B’()– Essentially undeniable signature– B(m) = mx for shared key x

Third key tool Anonymous credential = Voting key

– Essentially a group signature key a la Atienese et al. (Crypto ‘00) Other approaches possible

– Carries hidden, identifying tag, called tagi

– Special enhancement: Also includes validator vali = B(tagi), where B is threshold one-way function

tagi vali

A little more notation

Let E[m] denote El Gamal ciphertext on m:– Private key held distributively– Authorities can jointly decrypt ciphertext– B(E[m]) = E[B(m)] (due to El Gamal homomorphism)

Our new scheme

Core ideas:– Voter employs anonymous credential– We don’t know who voted (at time of

voting) or what was voted– Validator required for vote to count– Adversary cannot tell whether or not

validator is correct Attacker cannot tell whether a vote is valid or

not

Security model Registration:

– Attacker cannot interfere with registration process or– User is forced by, e.g., hardware, to do erasing

Before voting:– Attacker can provide keying or other material to voter (even entire ballot)

During vote:– Votes may be posted anonymously (for strongest security) or semi-anonymously (for weaker

guarantees)– Bulletin board is universally accessible

At all times:– Attacker has access to all public information, i.e., encrypted and decrypted ballots

Voting: Anatomy of a ballot

tagi vali

tagi vali votei

proofi

NIZK proof that

tagi ciphertext is

valid for credential

Anonymous credential

signature

validator = B(tagi)

tag3 val3 vote3

proof3

Tallying BallotsStep 1: Check group signatures and proofs

Authority 1 Authority 2

...

?

?

?

?

tag1 val1 vote1

proof1

tag2 val2 vote2

proof2

tagn valn voten

proofn

Tallying BallotsStep 2: Mixing ballots

Authority 1 Authority 2

...

tag1 val1 vote1

tag2 val2 vote2

tagn’ valn’ voten’

re-encryption tag1 val1 vote1

tag2 val2 vote2

tagn’ valn’ voten’

...

Tallying BallotsStep 3: Joint blinding and decryption of validators

Authority 1 Authority 2

tag1 val1 vote1

tag2 val2 vote2

tagn’ valn’ voten’

......

tag1 vote1

tag2 vote2

tagn’ voten’

B’(val1)

B’(val2)

B’(valn’)

...

B’ blinding prevents authorities from recognizing validators

Tallying BallotsStep 4: Elimination of duplicates by validator

Authority 1 Authority 2

equal validators ...

tag1 vote1

tag2 vote2

tagn’ voten’

B’(val1)

B’(val2)

B’(valn’)

tag3 vote3B’(val3)

Tallying BallotsStep 5: Re-mixing ballots

Authority 1 Authority 2

re-encryption tag1 B’(val1) vote1

tag2 B’(val2) vote2

tagn’B’(valn)’ voten’

.

.

.

...

tag1 vote1

tag2 vote2

B’(val1)

B’(val2)

tagn’ voten’B’(valn’)

Remixing required so that adversary does not recognize weeding based on number of ballots he cast

Tallying BallotsStep 6: Verification of validators

Authority 1 Authority 2

•Authorities compute C1= B’(B(E[tagi])) = E[B’(B(tagi))]

•Authorities do distributed comparison of C1 with C2 = E[B’(vali)]

•If ciphertexts are equal, then validator is correct•Otherwise ballot is invalid and is thus removed

tagi votei

E[tagi] If correct, B’(vali) = B’(B(tagi))

B’(vali)

Tallying BallotsStep 7: Joint decryption of valid votes

Authority 1 Authority 2

Gush=

Bore

Bore

vote1

vote2

vote3

Winner!

Voter cannot sell or prove vote

Key idea: Attacker cannot tell a false validator from a real one– If attacker demands voting key, voter can provide

false validator– If attacker demands that voter cast a certain type

of vote, and demands pointer(s) Voter can vote as demanded using false validator Voter can re-vote using correct validator

Collusion with minority coalition of servers resisted

Correct validators only computable by majority

Mixing is private and robust if majority is honest

No randomization or forced abstention

Randomization: Voter can use false validator to post false ballot… and later vote for real

Forced abstention: Group signature (+ anonymous channel) provides anonymity

Resistance to shoulder-surfing

Voter can vote multiple times Weeding policy provides for re-vote

– E.g., last vote might count (needs extra phase)

Is it practical?

Overhead is just a few times that of basic, mixed-based voting– Hirt-Sako ‘00 requires untappable channels, linear

cost in number of candidates, no write-ins, etc.

Not just practical, but essential for Internet voting!

Questions?

Additions Votes can be countersigned by polling station,

indicating priority If registrar publishes voting roll with blinded

validators, we can verify publicly that all participants are on roll – Requires an additional mixing step

Careful modeling required and largely unaddressed