E-voting
Requirements
Tools and tricks
Our scheme
Coercion-Free Internet Voting with
Receipts
Mirosław Kutyłowski, Filip Zagórski
Institute of Mathematics and Computer Science,
Wrocław University of Technology
Workshop on e-Voting and e-Government in the UK
27th February 2006, Edinburgh
Mirosław Kutyłowski, Filip Zagórski
Coercion-Free Internet Voting with Receipts
E-voting
Requirements
Tools and tricks
Our scheme
Agenda
1. E-voting – dangers
2. Internet voting – requirements
3. Tools and tricks
4. Solution
Mirosław Kutyłowski, Filip Zagórski
Coercion-Free Internet Voting with Receipts
E-voting
Requirements
Tools and tricks
Our scheme
E-voting
Mail-in voting
Simple Internet voting
E-voting
I
e-voting:
I
I
I
our goal:
I
I
I
I
voting machines at polling places
remote voting with electronic means
e-voting via Internet
like mail-in voting
... but secure
assumptions:
I
I
no PC can be trusted
no special hardware should be used
Mirosław Kutyłowski, Filip Zagórski
Coercion-Free Internet Voting with Receipts
E-voting
Requirements
Tools and tricks
Our scheme
E-voting
Mail-in voting
Simple Internet voting
Properties of mail-in voting
I
excellent for vote selling and coercing voters
I
questionable anonymity (a ballot may contain a hidden
code, “yellow dots” - Electronic Frontier Foundation)
I
ballots can disappear (Broward County, USA, 2004), or be
retained until the deadline
I
no verifiability
On the other hand - mail-in voting is gaining popularity!
Mirosław Kutyłowski, Filip Zagórski
Coercion-Free Internet Voting with Receipts
E-voting
Requirements
Tools and tricks
Our scheme
E-voting
Mail-in voting
Simple Internet voting
Internet voting
A straightforward solution (like in Estonia):
step 0 a voter downloads a voting program from a special
server,
step 1 using the program the voter prepares a ballot: a
resulting ciphertext that must be decrypted by
many tallying authorities,
step 2 the voter sends a signed ballot to an appropriate
authority.
Mirosław Kutyłowski, Filip Zagórski
Coercion-Free Internet Voting with Receipts
E-voting
Requirements
Tools and tricks
Our scheme
E-voting
Mail-in voting
Simple Internet voting
Convenient vote selling
step 0 download and install an appropriate tracing
program from a server located at Voting Islands,
step 1 prepare a ballot and submit it while the tracing
program is activated,
step 2 the tracing program sends a message to Voting
Islands
step 3 the voter gets digital cash or some access codes
step 4 the voter uninstalls the tracing program.
Mirosław Kutyłowski, Filip Zagórski
Coercion-Free Internet Voting with Receipts
E-voting
Requirements
Tools and tricks
Our scheme
E-voting
Mail-in voting
Simple Internet voting
Countermeasures - Estonia
I
the voter can cancel his electronic ballot and cast his vote
in a traditional way
I
so a voter may sell a vote, get money, and cancel the vote,
– no reason to buy a vote
Mirosław Kutyłowski, Filip Zagórski
Coercion-Free Internet Voting with Receipts
E-voting
Requirements
Tools and tricks
Our scheme
E-voting
Mail-in voting
Simple Internet voting
Countermeasures - Estonia
I
the voter can cancel his electronic ballot and cast his vote
in a traditional way
I
so a voter may sell a vote, get money, and cancel the vote,
– no reason to buy a vote
I
Is it really true?
I
I
some voters will cancel the ballots, but most of them not
a person who cancels a vote is likely to be a vote-seller
Mirosław Kutyłowski, Filip Zagórski
Coercion-Free Internet Voting with Receipts
E-voting
Requirements
Tools and tricks
Our scheme
E-voting
Mail-in voting
Simple Internet voting
Breaking anonymity
I
a virus can attack the voting program,
I
after attack the voting program executes kleptographic code
(→ see the talk tomorrow),
I
then somebody will be able to find out the choice of the
voter without secret keys of tallying authorities,
Mirosław Kutyłowski, Filip Zagórski
Coercion-Free Internet Voting with Receipts
E-voting
Requirements
Tools and tricks
Our scheme
E-voting
Mail-in voting
Simple Internet voting
Breaking anonymity
I
a virus can attack the voting program,
I
after attack the voting program executes kleptographic code
(→ see the talk tomorrow),
I
then somebody will be able to find out the choice of the
voter without secret keys of tallying authorities,
I
even a rumor of such viruses can invoke fear among the
voters and force them to vote in some way
Mirosław Kutyłowski, Filip Zagórski
Coercion-Free Internet Voting with Receipts
E-voting
Requirements
Tools and tricks
Our scheme
E-voting
Mail-in voting
Simple Internet voting
Malicious programs
I
a ruling party can provide programs so that every ballot
created contains a vote for them
I
cases of 99% of votes for President ....
Mirosław Kutyłowski, Filip Zagórski
Coercion-Free Internet Voting with Receipts
E-voting
Requirements
Tools and tricks
Our scheme
Requirements for Internet voting
1. no cheating by a PC: a PC cannot cheat the voter with high
probability and manipulate the ballots
2. anonymity: the PC should not learn the choice of the voter
3. no vote selling: the voter cannot convince PC about his
choice
4. verifiability: the voter can check that her vote has been
counted
Mirosław Kutyłowski, Filip Zagórski
Coercion-Free Internet Voting with Receipts
E-voting
Requirements
Tools and tricks
Our scheme
Further requirements
I
no special hardware
I
no special operating systems
I
software audits are not crucial
Mirosław Kutyłowski, Filip Zagórski
Coercion-Free Internet Voting with Receipts
E-voting
Requirements
Tools and tricks
Our scheme
Anti-kleptographic measures
Pairs = point to point verifiability
Encoding details
Chaum’s trick - Deterministic randomness
I
uncontrolled randomness can lead to kleptographic attacks
I
but randomness is necessary, so:
I
random bits are generated as
R(sig (H (m))) ,
where
R - pseudorandom bit generator,
sig - deterministic signature scheme
H - hash function
Mirosław Kutyłowski, Filip Zagórski
Coercion-Free Internet Voting with Receipts
E-voting
Requirements
Tools and tricks
Our scheme
Anti-kleptographic measures
Pairs = point to point verifiability
Encoding details
Pairs cut and choose
I
a vote for X , card identifier Id: four ciphertexts prepared:
C (X , r , L),
C (X , r , R ),
C (Id , r 0 , L),
C (Id , r 0 , R )
(two matching pairs).
Mirosław Kutyłowski, Filip Zagórski
Coercion-Free Internet Voting with Receipts
E-voting
Requirements
Tools and tricks
Our scheme
Anti-kleptographic measures
Pairs = point to point verifiability
Encoding details
Pairs cut and choose
I
a vote for X , card identifier Id: four ciphertexts prepared:
C (X , r , L),
C (X , r , R ),
C (Id , r 0 , L),
C (Id , r 0 , R )
(two matching pairs).
I
in order to check: the voter asks to open ciphertexts from
oder cards
Mirosław Kutyłowski, Filip Zagórski
Coercion-Free Internet Voting with Receipts
E-voting
Requirements
Tools and tricks
Our scheme
Anti-kleptographic measures
Pairs = point to point verifiability
Encoding details
Pairs and local verifiability
I
each ballot contains two pairs (ciphertexts)
I
I
I
the first pair encodes a vote – a voter is convinced about
the vote value, but cannot provide a proof for a third party
the second pair encodes an identifier for verification – the
voter knows it
after the tallying process, a voter
I
the pair of voter’s identifiers appears on the final Bulletin
Board
Mirosław Kutyłowski, Filip Zagórski
Coercion-Free Internet Voting with Receipts
E-voting
Requirements
Tools and tricks
Our scheme
Anti-kleptographic measures
Pairs = point to point verifiability
Encoding details
Attempts of manipulation
I
successful vote replacement:
I
I
I
one have to find a pair which encodes a vote (and not an
identifier)
removing only a half of a vote or identifier can be detected!
it is unlikely to find the matching halves if all ciphertexts are
mixed
Mirosław Kutyłowski, Filip Zagórski
Coercion-Free Internet Voting with Receipts
E-voting
Requirements
Tools and tricks
Our scheme
Anti-kleptographic measures
Pairs = point to point verifiability
Encoding details
Decryption by multiple parties
I
an El Gamal ciphertext of M for public keys y1 , . . . yn
(m · (y1 · . . . · yn )k , g k )
for a random k ,
I
decoding requires cooperation of all holders of private keys
corresponding to y1 , . . . yn , decoding must be performed as
follows
(c1 , c2 ) := (c1 /c2xi , c2 )
for i = 1, 2, . . .
Mirosław Kutyłowski, Filip Zagórski
Coercion-Free Internet Voting with Receipts
E-voting
Requirements
Tools and tricks
Our scheme
Anti-kleptographic measures
Pairs = point to point verifiability
Encoding details
Re-encryption
knowing public keys y1 , . . . , yn , g, one can re-encrypt a ciphertext
(a, b) = (m · (y1 · . . . · yn )ki , g ki )
of m by choosing ki +1 and computing:
(a · (y1 · . . . · yn )ki +1 , b · g ki +1 )
which yields:
(m · (y1 · . . . · yn )ki · (y1 · . . . · yn )ki +1 , gik · g ki +1 ) =
= (m · (y1 · . . . · yn )ki +ki +1 , g ki +ki +1 )
Mirosław Kutyłowski, Filip Zagórski
Coercion-Free Internet Voting with Receipts
E-voting
Requirements
Tools and tricks
Our scheme
Scenario
Cards
Cancelling a vote
Summary
Our solution - high level scenario
I
a voter’s PC is running a voting application
I
a Ballot Generation Server – prepares cards
I
a Registration Server – checks voter’s identity and inserts
ballots into the system
I
Mix-servers decode votes
I
on the last Bulletin Board an election results and identifiers
will appear
Mirosław Kutyłowski, Filip Zagórski
Coercion-Free Internet Voting with Receipts
E-voting
Requirements
Tools and tricks
Our scheme
Scenario
Cards
Cancelling a vote
Summary
Voting card, Identifier card
I
each card is a randomly shifted “list” of candidates
I
cards are indistinguishable – a voter’s PC does not know
which one is a Voting card and which one is an Identifier
card
I
the same operations are performed on both cards
Mirosław Kutyłowski, Filip Zagórski
Coercion-Free Internet Voting with Receipts
E-voting
Requirements
Tools and tricks
Our scheme
Scenario
Cards
Cancelling a vote
Summary
Card verification
1. a voter (her PC) obtains n Voting, n Identifier cards and
commitments to the values used in cards from Ballot
Generating Server (BGS)
2. a voter chooses one of the cards and verifies the rest –
BGS reveals shifts and values needed to check if a card is
properly encoded
⇒ a voter knows (with probability 1 − n1 ) that a card which she
will use is proper
Mirosław Kutyłowski, Filip Zagórski
Coercion-Free Internet Voting with Receipts
E-voting
Requirements
Tools and tricks
Our scheme
Scenario
Cards
Cancelling a vote
Summary
Shifts – hiding information from a voter’s PC
1. a voter is informed about shift used in the unchecked card
by an independent channel – phone line
2. a voter’s PC does not know shift used and does not know
which card encodes votes and which encodes identifiers
⇒ voter’s PC will do not know a voter’s choice and will not be
unable to change voter’s choice
Mirosław Kutyłowski, Filip Zagórski
Coercion-Free Internet Voting with Receipts
E-voting
Requirements
Tools and tricks
Our scheme
Scenario
Cards
Cancelling a vote
Summary
Voting ballot
I
voting ballot is prepared from Voting card and Identifier
card by voter’s PC – a voter chooses an appropriate row
(she knows shift used in the cards)
I
a voter’s PC and a Registration Server changes some
values and re-encrypts ciphertexts contained in a voting
ballot
⇒ only a voter knows the identifier
⇒ BGS cannot trace votes
Mirosław Kutyłowski, Filip Zagórski
Coercion-Free Internet Voting with Receipts
E-voting
Requirements
Tools and tricks
Our scheme
Scenario
Cards
Cancelling a vote
Summary
Cancelling procedure - advanced features
I
a voter casts a vote together with an anti-vote
I
I
a vote is re-encrypted and appears on the first Bulletin
Board,
an encrypted anti-vote is kept by the Registration Server
Mirosław Kutyłowski, Filip Zagórski
Coercion-Free Internet Voting with Receipts
E-voting
Requirements
Tools and tricks
Our scheme
Scenario
Cards
Cancelling a vote
Summary
Cancelling procedure - advanced features
I
a voter casts a vote together with an anti-vote
I
I
a vote is re-encrypted and appears on the first Bulletin
Board,
an encrypted anti-vote is kept by the Registration Server
I
the previous vote can be cancelled by Registration Server
only with cooperation with a voter (a voter must sign an
appropriate message)
I
vote and anti-vote are unlinkable
Mirosław Kutyłowski, Filip Zagórski
Coercion-Free Internet Voting with Receipts
E-voting
Requirements
Tools and tricks
Our scheme
Scenario
Cards
Cancelling a vote
Summary
Main features
I
coercion-freeness
I
global verifiability (randomized partial checking on mixing
process, ballots correctly decoded)
I
local verifiability - every voter has “point-to-point”
verifiability (in other schemes voter’s verification ends on
the first Bulletin Board)
Mirosław Kutyłowski, Filip Zagórski
Coercion-Free Internet Voting with Receipts
E-voting
Requirements
Tools and tricks
Our scheme
Scenario
Cards
Cancelling a vote
Summary
Disadvantages
I
fairly complicated idea for voters with low mathematical
skills well suited for young voters, computer freaks
I
an independent communication channel necessary
Mirosław Kutyłowski, Filip Zagórski
Coercion-Free Internet Voting with Receipts
E-voting
Requirements
Tools and tricks
Our scheme
Scenario
Cards
Cancelling a vote
Summary
Thanks for your attention!
Mirosław Kutyłowski, Filip Zagórski
Coercion-Free Internet Voting with Receipts