Verifying a Secret-Ballot Election with Cryptography

Transcription

1 Verifying a Secret-Ballot Election with Cryptography Ben Adida PhD Thesis Defense Thesis Committee Ronald L. Rivest, Srini Devadas, Shafi Goldwasser 22 June 2006

2 Ostraka (sea shells)

3

4 Australian Ballot

5 The Breakfast Vote Croissant Eggs & Bacon Carl the Coercer Eggs&Bacon Lobby Valerie the Voter

6 Voting Interface Croissant Carl the Coercer Eggs&Bacon Lobby Valerie the Voter

7 The Ballot Handoff Croissant Eggs & Eggs & Bacon Bacon Croissant Croissant Croissant Valerie the Voter

8 The Cost of Secrecy

9 Chain of Custody Polling Location 4 3 Voting Machine 2 /* * source * code */ if (... 1 Vendor Valerie Results Ballot Box Collection

10 Secret ballots and transparency in government are mutually exclusive concepts. Lynn Landes - Nov evoting in Switzerland 95% of Geneva citizens vote by mail (and now Internet)

11 The Secret Ballot Matters Secret Ballot implemented in Chile in the secrecy of the ballot [...] has first-order implications for resource allocation, political outcomes, and social efficiency. [BalandRobinson 2004]

12 Secrecy vs. Audit-ability? Cryptography solves problems that seem contradictory. There s such a thing as just the right level of contradiction. Ronald L. Rivest (paraphrased)

13 End-to-End Verification [SRC81] Voting Machine /* * source * code */ if (... Vendor Polling Location Bulletin Board Results... Valerie 1 Receipt 2

14 A Bulletin Board? Bulletin Board Valerie: Croissant Vanessa: Croissant Victor: Eggs&Bacon Tally Croissant: 2 Eggs&Bacon: 1 Valerie

15 An Encrypted Bulletin Board! Bulletin Board Valerie: Croissant Vanessa: Croissant Ballot Casting Assurance Valerie Victor: Eggs&Bacon Tally Universal Verifiability Croissant: 2 Eggs&Bacon: 1

16 Crypto Voting Schemes decryption Valerie Vanessa encryption Encrypted Votes anonymization Victor Registration Database Results Tally

17 Contributions [ANa2006, ANb2006] decryption anonymization Valerie Vanessa encryption Encrypted Votes [AW2006] [AR2006] Victor Tally Registration Database Results

18 This Talk Introduction to Crypto Voting Scratch & Vote Public Mixing

19 Ryan Ballot [CRS2004, C2005] Croissant Eggs None Croissant Croissant Eggs Eggs None None 8c3859x0dfsw 8c3859x0dfsw Onion 8c3859x0dfsw

20 Onion Decryption Onion = Enc pk1 (r 1 ; Enc pk2 (r 2 ; Enc pk3 (r 3 ))) Croissant None Eggs Eggs Eggs None Eggs None r 1 r 2 r 3 Croissant Croissant Croissant None 8c3859x0dfsw 8c3859x0dfsw 8c3859x0dfsw 8c3859x0dfsw

21 Ryan Ballot: Verification Internet / Phone Bulletin Board Valerie Vanessa Victor 8c3859x0dfsw 8c3859x0dfsw b37c m4s6s Valerie the Voter Croissant Croissant Croissant Croissant Eggs Eggs Eggs NoneEggs None None None 8c3859x0dfsw 8c3859x0dfsw 8c3859x0dfsw 8c3859x0dfsw Verify half the ballots Ed the Election Official

22 What can we improve? Pre-voting auditing administrators involved for Ryan ballot individual voter verification unlikely Post-voting auditing administrators are highly involved

23 [B85, BT86, P99] Homomorphic Counters Vote for Croissant Vote for Eggs&Bacon Vote for None # US eligible voters < 2 28 (28 bits) Paillier Plaintext = 1024 bits

24 Scratch & Vote Ballot r 1 r 2 r 3 Croissant Eggs None Enc pk (2 56 ; r 1 ) Enc pk (2 28 ; r 2 ) Enc pk (2 0 ; r 3 ) Scratch Surface 2D barcode

25 Pre-Voting Verification Croissant None Eggs Croissant None Eggs Vote Valerie the Voter Audit

26 Casting Croissant Eggs None Croissant Croissant Eggs Eggs None None

27 Post-Voting Verification Internet / Phone Bulletin Board Valerie Vanessa Victor Valerie the Voter

28 Tally Bulletin Board Valerie Vanessa Victor Homomorphic Addition Single Decryption Croissant: 2 Eggs & Bacon: 1

29 Issues Under the Rug Voter/Official Collusion NIZK on bboard Casting a Ballot Pre/Double Tear More than one race? Chaum ballot Ballot Printers know the candidate orders Working on that!

30 This Talk Introduction to Crypto Voting Scratch & Vote Public Mixing

31 El Gamal Reencryption sk = x mod q pk = y = g x mod p Enc pk (m; r) = (α, β) = (g r, m y r ) Dec sk (c) = β α x Reenc pk (c; r ) = c Enc pk (1, r ) = (g r+r, m y r+r )

32 Reencryption Mixnet [PIK93, SK94] France USA Switzerland Each mix server shuffles and reencrypts inputs.

33 Proving the Mix [Neff2001, FS2001,...] c 1 c 1 c 2 c c i = Reenc(c π(i), r i) c n France c n ZKPoK [ π, {r i} ] France can t cheat! π and{r i} stay private!

34 Private vs. Public Private π, {r i} Public c 1 c 1 c 2 c 2... P... c n c n what if we could replace the private mixnet with a public program?

35 So What? c 1 π, {r i} c 1 c 2 c 2... P... c n c n public program anyone can run it pre-proven all proofs before mixing unbiased leaking permutation and random factors are fixed before inputs are provided. That s great, but can it really be done? [BG+2001, GK2005]

36 [BGN2005] BGN Cryptosystem G 1, G 2, order n = p 1 p 2 e : G 1 G 1 G 2 e(g a, h b ) = e(g, h) ab g a h b e Z ab G 1 G 2 pk = (n, g, h = u p 1 ) sk = p 2 Enc Dec sk (c) = log g (c p 2 pk (m) = g m h r ) p 2 Enc pk (m 1 ) Enc pk (m 2 ) = Enc pk (m 1 + m 2 ) e(enc pk (m 1 ), Enc pk (m 2 )) = Enc pk (m 1 m 2 )

37 Oblivious Cancellation / Selection Enc pk (m) Enc pk (0) = Enc pk (0) Enc pk (m) Enc pk (1) = Enc pk (m) Enc pk (0) and Enc pk (1) are indistinguishable Clearly Useful for PIR and OT [BGN2005]. In fact, it s more powerful still.

38 Matrix Multiplication a a 1l a a 2l..... b b 1n b b 2n..... = c c 1n c c 2n..... a n1... a nl b l1... b ln c m1... c mn c ij = l a ik b kj k=1 Degree is exactly 2: only one multiplication!

39 Homomorphic MM m 1 m 2 m 3 m 4 m 5 = m 3 m 1 m 5 m 2 m 4 Homomorphic matrix multiplication by an encrypted permutation matrix = Mixing!

40 Public Mixing Private π {r i } Public c 1 c P = c 1 c 2... c n c n

41 A Taste of the Proofs Deterministic Mixing functionality permutation-indistinguishable by a hybrid argument on semantic security. Proof of Correct Obfuscation simulator creates its own mixing matrix semantic security, thus adversary cannot distinguish

42 Why Did We Succeed? [BG+2001, GK2005] tell us generic obfuscation is hard. Functionality defined on the plaintexts; we re only dealing with ciphertexts covers of encryption We don t know that this is really a permutation matrix! We must prove correct functionality.

43 Proving the Matrix is an encrypted permutation matrix? Straight-forward proof: Use Proof of Partial Knowledge [CDS94] to show that each element is either 0 or 1. Homomorphically compute the row and column sums and prove that they re all equal to 1. n 2 proofs. Uggh.

44 Proving the Matrix (better) r 1... = c r n c n Proof by Random Vector Challenge Well-known techniques, O(n). n 2 computation, O(n) proof.

45 Mixing more than once? France USA Not with BGN bilinear map... Only one multiplication.

46 Distributed Generation France USA Use a Mixnet to shuffle the matrix rows Prove each one using Random Vector Test Remember, this is still before the inputs to mix are available.

47 Encapsulated Mixing Capture the actions of the various mixers. Prove that everything went well. Replay them on the encrypted votes when they re available.

48 [DJ2001] Generalized Paillier Enc pk (m) = g m r n mod n 2, m Z n Enc pk,2 (m) = h m r n2 mod n 3, m Z n 2 Enc pk,2 (Enc pk (m)) = h gm r n r n2 mod n 3 c = Enc pk (m) [ ] c Encpk,2 (0) = Encpk,2 (0) [ Encpk,2 (Enc pk (0)) ] c = Encpk,2 (c)

49 GP Homomorphisms 0 m = m 0 = 0 0 m = m 0 = 0 + m = m m 0 = 0+ m = m

50 GP Public Mixing m 1 m 2 m 3 = m 4 m 5 m 31 m 12 m 53 m 2 m 4 m 4 m 5 Full-length plaintexts Faster computation (modexp vs. BM) But... longer proofs (double discrete log) Composable via multiple layering?

51 Contributions Education Introduction to Crypto Voting Mixnet Review Ballot Casting Assurance [ANa2006] Practice Scratch & Vote [AR2006] Theory Public Mixing [AW2005] Assisted Human Interactive Proofs [ANb2006]

52 The Promise of Crypto Voting 1. Secrecy AND Audit-ability 2. End-to-end Verification

53 What s Holding This Up? Education remote voting is dangerous crypto is integral, so trust your cryptographer? Recovery if you know what went wrong, then you have to fix it. Future Research: recovery-centric schemes

54 So what next? New voting laws should encourage research and pilot deployments of direct voter verifiable voting techniques. VVPAT only is a missed opportunity.

55 Thanks!! Ron Shafi, Srini Andy, David, Douglas, Susan, David Steven, Seth, Rafael, Chris, Ran, Guy Hal, Danny, Eric, Ralph Zak, Ken, Pete Rita, Mom, Dad, Claire, Juliette

56 Questions?