Information Processing Letters 75 (2000) 211 215 Efficient construction of vote-tags to allow open objection to the tally in electronic elections Andreu Riera a,,joseprifà b, Joan Borrell b a isoco, Intelligent Software Components, 08190 Sant Cugat del Vallès, Spain b CCD, Department of Computer Science, Universitat Autònoma de Barcelona, 08193 Bellaterra, Spain Received 8 July 1999; received in revised form 24 May 2000 Communicated by F.B. Schneider Abstract Electronic voting schemes usually use voting receipts to assure accuracy and verifiability of the tally. A traditional voting receipt consists of the blind signature of the voter s ballot made by the voting centre. However, this construction forces the voter to reveal in which way he/she voted in case an objection to the tally is done. The mechanism of vote-tags solves this problem, allowing open objection to the tally. Nonetheless, previous proposals for vote-tags imply high computation costs. In this paper we propose an efficient method to construct vote-tags, based on one-way hash functions. 2000 Elsevier Science B.V. All rights reserved. Keywords: Cryptography; Electronic voting schemes; Vote-tags; Blind signatures; One-way hash functions 1. Introduction The objective of secure electronic voting schemes is to conduct elections over general-purpose and open computer networks. During the ballot collecting process, eligible voters use the computer network to cast their votes. After a predetermined time, the voting centre stops accepting votes. The counting process is initiated and, finally, the tally is published. One of the security requirements involved in the design of electronic voting schemes is verifiability.there are two definitions of verifiability, universal verifiability and individual verifiability. A voting scheme is uni- This work has been partially funded by the Spanish Government Commission CICYT, through its grant TEL97-0663. Corresponding author. E-mail addresses: andreu@isoco.com (A. Riera), josef.rifa @uab.es (J. Rifà), joan.borrell@uab.es (J. Borrell). versally verifiable if anyone can independently verify that all ballots have been counted correctly. A voting scheme is individually verifiable (a weaker definition) if voters can independently verify that their own ballots have been counted correctly. In any case, if some inaccuracies have been introduced into the tally, it must be possible to detect them and prove the forgery. The majority of voting schemes use a mix-net [1] as an anonymous channel from voters to voting centre, to assure the voter s privacy. To achieve universal verifiability in these mix-based schemes is not straightforward. In contrast, individual verifiability is solved in a simple manner by means of voting receipts. A voting receipt is a proof that any voter obtains at voting time from the voting centre, certifying that his or her particular ballot has been accepted. In case that the ballot is modified or it just does not appear when the tally is finally published, the affected voter can use the vot- 0020-0190/00/$ see front matter 2000 Elsevier Science B.V. All rights reserved. PII: S0020-0190(00)00107-1
212 A. Riera et al. / Information Processing Letters 75 (2000) 211 215 ing receipt to prove the fraud to any third party. Voting receipts do not prevent the voting centre from adding invalid ballots to the tally on behalf of abstaining voters. This attack has to be counteracted by additional measures outside the scope of this paper. The most efficient method to obtain the required voting receipts without sacrificing the voter s privacy, is by using blind signatures [2]. Blind signatures allow some party to get a message digitally signed by another party, without revealing any information about the message to the signer. This concept can be demonstrated using RSA signatures [6] as follows. Suppose Alice has a message m that she wishes to have signed by Bob, and she does not want Bob to learn anything about m. Let(n, e) be Bob s RSA public key and (n, d) be his private key. Alice generates a random value r (called a blinding factor), such that gcd(r, n) = 1. Alice sends to Bob m = r e m mod n. Since the value m is blinded by the random value r, Bob cannot derive useful information from it. Bob returns the signed value s = (m ) d = (r e m) d mod n to Alice. Since s = r m d mod n, Alice can obtain the true signature s of m by computing s = s r 1 mod n. Now Alice s message m has a signature she could not have obtained on her own. Moreover, even though the signature itself is secure provided that factoring remains difficult, the signature is still unconditionally blind since r is random. Voting receipts can therefore be easily obtained through the blind signature of the respective votes, made by the voting centre. After a voter has obtained his or her voting receipt, the mix-net is used to send the vote in readable (i.e., not blinded) form to the voting centre, together with a copy of the voting receipt. This scheme avoids unauthorized voters from voting (and authorized voters from voting more than once), and blind signatures ensure non-relativity between anonymously received ballots and previously signed voting receipts. However, if voting receipts are constructed in this way, a public objection to the tally would reveal the exact vote that was cast by the claiming voter. The problem is that each voter has been certified to his or her vote, which turns out to be the only evidence for his or her claim afterwards. To solve this inconvenience, Sako [7] proposed a slightly different construction of voting receipts. The main idea is that the voter should obtain certification for something that does not reflect his opinion. Such piece of data was named vote-tag. We will use the same denomination. The mechanism devised in previous schemes to construct vote-tags has a serious practical disadvantage which makes the ballot casting protocol inconvenient for the voter. In this paper we propose an efficient method to construct vote-tags, based on one-way hash functions. Section 2 explains previous models for constructing vote-tags, and their disadvantages. Section 3 describes our solution. Finally, Section 4 contains the concluding remarks. 2. Previous construction of vote-tags The objective of a voting receipt is to prevent the voting centre from creating a different valid vote with the same voting receipt. In addition, voting receipts based on vote-tags pretend that their publication does not disclose which are the related votes. Therefore, a vote-tag must be a piece of data, intrinsically linked to a certain vote, but that still reveals no information about it. More formally, vote-tags must fulfill two compulsory conditions: (1) A vote has to be bound to the corresponding votetaginsuchawaythatitishardforattackers,given a particular vote, to find another vote which can be linked to the same vote-tag. (2) Given a particular vote-tag, it has to be hard to disclose the related vote. To reach these objectives, Sako [7] adopts the concept of digital signature. The voter generates a random asymmetric key pair during the ballot casting protocol. The public key represents the vote-tag that has to be blindly certified by the voting centre. The desired vote is then signed with the corresponding private key. The vote, its signature, and the public verification key (vote-tag previously certified by the voting centre) are jointly sent to the voting centre through the mix-net. This construction fulfills the conditions presented above. Firstly, to create two valid votes linked to the same vote-tag requires knowledge
A. Riera et al. / Information Processing Letters 75 (2000) 211 215 213 of the voting private key used in the signature of the vote. Only the voter has this knowledge. Secondly, it is obvious that a random public key alone does not reveal any information about the vote. When the tally is published, all accepted votes with the corresponding vote-tags have to appear. If a particular vote was not counted, then the affected voter would open his or her authorized vote-tag claiming it has not been properly treated. Since even the voting centre cannot modify a received ballot to a different vote using the same public key (first property of votetags), the key can be used as an evidence in making objection to the tally. From the vote-tag, no one would know in which way the voter voted (second property.) Besides [7], another proposal of voting scheme allowing open objection to the tally appeared in [3]. However, the construction of vote-tags is essentially the same. As a difference, the authors propose that the random asymmetric key pairs used to construct the vote-tags could be generated by voters during a registration phase preceding the election. Such phase would serve for several elections. However, there is the added difficulty of assuring the security of the voting private key during that time. Furthermore, if a voter makes a public objection to the tally, the voting asymmetric key pair has to be regenerated and recertified again. In addition, once a voter has obtained a blindly certified voting public key valid for several elections, it would not be easy to remove him or her from the electoral roll. 3. Vote-tags constructed through one-way hash functions The use of digital signatures for the vote-tag mechanism has a practical problem: the generation of a pair of asymmetric keys requires significant time. This could seem a little inconvenience. Nonetheless, the problem becomes serious in practice because practical applications of blind signatures have to consider the use of cut-and-choose techniques [8], which would force the voter to generate many pairs of asymmetric keys. The aim of cut-and-choose techniques in blind signature protocols is to protect the signer, preventing the signature of a malicious message. In our case, the voter should send to the voting centre a certain number, say p, of blinded messages. The voting centre chooses at random one of the received messages and requests the voter to reveal the blinding factor of all other messages. By unblinding the messages and checking that all p 1 unblinded messages are inoffensive, the voting centre is convinced that the message that remains still blinded is inoffensive too. The probability of the voter successfully getting the signature of the voting centre of a malicious message is 1/p, which can be made sufficiently small. To reduce the computation costs of generating p different vote-tag candidates, we suggest a new votetag construction method based on one-way hash functions. A vote-tag candidate can be constructed by appending a random string to the vote and computing the digest of the resulting data through a one-way hash function. A vote-tag of this kind fulfills the required conditions because of the properties of oneway hash functions. This construction method is at least three orders of magnitude faster than the generation of an asymmetric key pair. The standard for one-way hash functions, SHA [5], reaches the speed rate of 75 Kbytes per second on a 33 MHz 486SX [8]. This means that, assuming the concatenation of the vote and the random padding is shorter than 512 bits, 1,000 vote-tag candidates can be constructed in approximately one second. In contrast, key generation for 512-bit modulo DSA [4] (which is faster than for RSA) takes about 10 seconds [8]. To generate 1,000 vote-tag candidates in this case requires approximately three hours, which is clearly impractical. To demonstrate the effectiveness of our model of vote-tags, we will use the scheme proposed in [7] as a basis, but additionally considering the need for cutand-choose techniques and substituting the original vote-tag model by the one proposed in this paper. The following notation is used in the presentation of the resulting voting protocol: V : Veronica, a particular voter. VC: Voting centre. H {M}: The digest of message M obtained through a one-way hash function. M 1 M 2 : Concatenation of messages M 1 and M 2. [M] BF : Message M blinded with blinding factor BF. S entity (M): The digital signature of message M created with the private key of entity. M : Message M sent through an anonymous channel (mix-net).
214 A. Riera et al. / Information Processing Letters 75 (2000) 211 215 Bilateral authentication and key exchange protocol Step 1 Step 2 [H {vote rand i } ident] BF i i = 1,...,p Step 3 j {1...p} Step 4 BF i i = 1,...,p, i j Step 5 S VC ([H {vote rand j } ident] BF j ) Step 6 vote, rand j,s VC (H {vote rand j } ident) Fig. 1. Ballot casting protocol. vote: A data string which uniquely identifies one of the voting options. ident: A data string identifying the current election (e.g., the date). rand: A random data string of a certain length. Fig. 1 summarizes the steps of the voting protocol. The interaction between Veronica and the voting centre starts with the establishment of a security context for the voting session. This first step consists of a bilateral authentication and an authenticated key exchange which allows for further data interchanges using message authenticity, integrity and confidentiality services. Due to the initial authentication, the voting centre gains assurance of the identity of Veronica. The electoral roll has then to be consulted by the voting centre to check whether Veronica is an eligible voter and whether she has not voted yet. After Veronica has been authenticated and following the consultation of the electoral roll, Veronica can eventually be authorized to proceed. Veronica constructs p vote-tag candidates (for the blind signature s cut-and-choose technique) by generating p different random strings and by computing p digests of her vote concatenated with those random strings. The identifier of the current election is appended to all these p vote-tag candidates. The resulting data structures are all blinded by Veronica using different random blinding factors. Finally, they are sent to the voting centre in Step 2. The voting centre requires in Step 3 that Veronica reveals p 1of the blinding factors used. This is done by Veronica in Step 4. The voting centre can then unblind the respective messages and verify that all unblinded messages
A. Riera et al. / Information Processing Letters 75 (2000) 211 215 215 are of the correct form: a digest produced by a oneway hash function (no two digests are equal, due to the random padding) together with the current election s identifier. The privacy of Veronica s vote is assured since only digests of the vote with some random padding become known. These unblinded messages are discarded and of no use afterwards. The voting centre signs the still blinded candidate and sends this blind signature to Veronica in Step 5. From the received blind signature, Veronica is able to obtain the true signature of the voting centre of the original (unblinded) message. This signature, S VC (H {vote rand j } ident), represents the voting receipt of Veronica, which validates her vote. The inclusion of the election s identifier in the voting receipt invalidates it for future elections. The random padding allows to distinguish between the ballots of any two voters who have chosen the same voting option. Immediately after Veronica receives her voting receipt, the voting centre should update the electoral roll, crossing off Veronica s entry. If she tries to vote again, her connection will be refused. In contrast with the solution proposed in [7], our scheme ensures that the voter is committed to his or her vote immediately after receiving the voting receipt. In practice, this prevents the voter from altering his or her choice in the time between obtaining the voting receipt and the actual casting of the validated ballot through the mix-net. The only difference this makes is the moment at which the voting software warns Veronica that her decision is about to be irrevocable. In our scheme this warning must appear immediately before applying for the voting receipt, rather than just before sending the ballot to the mix-net. Last step (number six) of the voting protocol consists of using the mix-net to send the validated ballot anonymously to the voting centre. The voting centre can use a time-out mechanism to get rid of those ballots that have been validated but are not finally cast by voters through the mix-net. Votes received by the voting centre from the mix-net are accumulated in readable form into the ballot box, allowing the future counting process. Even though the voting centre is not able to correlate clear-text received ballots with the blindly signed voting receipts, the validity of the ballots is still verifiable because of the signature they incorporate in the voting receipt. The received votes cannot be modified by the voting centre to the same voting receipts because of the properties of one-way hash functions. If the voting centre eliminated a ballot (vote and voting receipt) from the final tally, the fraud could be proved to any third party by the affected voter without revealing the vote cast, by openly showing the certified voting receipt. 4. Conclusions By using one-way hash functions to construct votetags, designers of mix-based electronic voting schemes may allow open objection to the tally at low computational cost. This design decision is specially important in case of implementable voting schemes. References [1] D. Chaum, Untraceable electronic mail, return addresses and digital pseudonyms, Comm. ACM 24 (1981) 84 88. [2] D. Chaum, Blind signatures for untraceable payments, in: Crypto 82, Plenum Press, New York, 1983, pp. 199 203. [3] Q. He, Z. Su, A new practical secure e-voting scheme, in: IFIP SEC 98, Austrian Computer Society, 1998, pp. 196 205. [4] National Institute of Standards and Technology, NIST FIPS PUB 186: Digital signature standard, U.S. Department of Commerce, 1994. [5] Proposed federal information processing standard for secure hash standard, Federal Register 57 (21) (31 Jan. 1992) 3747 3749. [6] R.L. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Comm. ACM 21 (1978) 120 126. [7] K. Sako, Electronic voting scheme allowing open objection to the tally, IEICE Trans. Fund. of Electronics, Comm. Comput. Sci. E77-A (1994) 24 30. [8] B. Schneier, Applied Cryptography. Protocols, Algorithms, and Source Code in C, John Wiley & Sons, New York, 1996.