E-voting Requirements Tools and tricks Our scheme Coercion-Free Internet Voting with Receipts Mirosław Kutyłowski, Filip Zagórski Institute of Mathematics and Computer Science, Wrocław University of Technology Workshop on e-Voting and e-Government in the UK 27th February 2006, Edinburgh Mirosław Kutyłowski, Filip Zagórski Coercion-Free Internet Voting with Receipts E-voting Requirements Tools and tricks Our scheme Agenda 1. E-voting – dangers 2. Internet voting – requirements 3. Tools and tricks 4. Solution Mirosław Kutyłowski, Filip Zagórski Coercion-Free Internet Voting with Receipts E-voting Requirements Tools and tricks Our scheme E-voting Mail-in voting Simple Internet voting E-voting I e-voting: I I I our goal: I I I I voting machines at polling places remote voting with electronic means e-voting via Internet like mail-in voting ... but secure assumptions: I I no PC can be trusted no special hardware should be used Mirosław Kutyłowski, Filip Zagórski Coercion-Free Internet Voting with Receipts E-voting Requirements Tools and tricks Our scheme E-voting Mail-in voting Simple Internet voting Properties of mail-in voting I excellent for vote selling and coercing voters I questionable anonymity (a ballot may contain a hidden code, “yellow dots” - Electronic Frontier Foundation) I ballots can disappear (Broward County, USA, 2004), or be retained until the deadline I no verifiability On the other hand - mail-in voting is gaining popularity! Mirosław Kutyłowski, Filip Zagórski Coercion-Free Internet Voting with Receipts E-voting Requirements Tools and tricks Our scheme E-voting Mail-in voting Simple Internet voting Internet voting A straightforward solution (like in Estonia): step 0 a voter downloads a voting program from a special server, step 1 using the program the voter prepares a ballot: a resulting ciphertext that must be decrypted by many tallying authorities, step 2 the voter sends a signed ballot to an appropriate authority. Mirosław Kutyłowski, Filip Zagórski Coercion-Free Internet Voting with Receipts E-voting Requirements Tools and tricks Our scheme E-voting Mail-in voting Simple Internet voting Convenient vote selling step 0 download and install an appropriate tracing program from a server located at Voting Islands, step 1 prepare a ballot and submit it while the tracing program is activated, step 2 the tracing program sends a message to Voting Islands step 3 the voter gets digital cash or some access codes step 4 the voter uninstalls the tracing program. Mirosław Kutyłowski, Filip Zagórski Coercion-Free Internet Voting with Receipts E-voting Requirements Tools and tricks Our scheme E-voting Mail-in voting Simple Internet voting Countermeasures - Estonia I the voter can cancel his electronic ballot and cast his vote in a traditional way I so a voter may sell a vote, get money, and cancel the vote, – no reason to buy a vote Mirosław Kutyłowski, Filip Zagórski Coercion-Free Internet Voting with Receipts E-voting Requirements Tools and tricks Our scheme E-voting Mail-in voting Simple Internet voting Countermeasures - Estonia I the voter can cancel his electronic ballot and cast his vote in a traditional way I so a voter may sell a vote, get money, and cancel the vote, – no reason to buy a vote I Is it really true? I I some voters will cancel the ballots, but most of them not a person who cancels a vote is likely to be a vote-seller Mirosław Kutyłowski, Filip Zagórski Coercion-Free Internet Voting with Receipts E-voting Requirements Tools and tricks Our scheme E-voting Mail-in voting Simple Internet voting Breaking anonymity I a virus can attack the voting program, I after attack the voting program executes kleptographic code (→ see the talk tomorrow), I then somebody will be able to find out the choice of the voter without secret keys of tallying authorities, Mirosław Kutyłowski, Filip Zagórski Coercion-Free Internet Voting with Receipts E-voting Requirements Tools and tricks Our scheme E-voting Mail-in voting Simple Internet voting Breaking anonymity I a virus can attack the voting program, I after attack the voting program executes kleptographic code (→ see the talk tomorrow), I then somebody will be able to find out the choice of the voter without secret keys of tallying authorities, I even a rumor of such viruses can invoke fear among the voters and force them to vote in some way Mirosław Kutyłowski, Filip Zagórski Coercion-Free Internet Voting with Receipts E-voting Requirements Tools and tricks Our scheme E-voting Mail-in voting Simple Internet voting Malicious programs I a ruling party can provide programs so that every ballot created contains a vote for them I cases of 99% of votes for President .... Mirosław Kutyłowski, Filip Zagórski Coercion-Free Internet Voting with Receipts E-voting Requirements Tools and tricks Our scheme Requirements for Internet voting 1. no cheating by a PC: a PC cannot cheat the voter with high probability and manipulate the ballots 2. anonymity: the PC should not learn the choice of the voter 3. no vote selling: the voter cannot convince PC about his choice 4. verifiability: the voter can check that her vote has been counted Mirosław Kutyłowski, Filip Zagórski Coercion-Free Internet Voting with Receipts E-voting Requirements Tools and tricks Our scheme Further requirements I no special hardware I no special operating systems I software audits are not crucial Mirosław Kutyłowski, Filip Zagórski Coercion-Free Internet Voting with Receipts E-voting Requirements Tools and tricks Our scheme Anti-kleptographic measures Pairs = point to point verifiability Encoding details Chaum’s trick - Deterministic randomness I uncontrolled randomness can lead to kleptographic attacks I but randomness is necessary, so: I random bits are generated as R(sig (H (m))) , where R - pseudorandom bit generator, sig - deterministic signature scheme H - hash function Mirosław Kutyłowski, Filip Zagórski Coercion-Free Internet Voting with Receipts E-voting Requirements Tools and tricks Our scheme Anti-kleptographic measures Pairs = point to point verifiability Encoding details Pairs cut and choose I a vote for X , card identifier Id: four ciphertexts prepared: C (X , r , L), C (X , r , R ), C (Id , r 0 , L), C (Id , r 0 , R ) (two matching pairs). Mirosław Kutyłowski, Filip Zagórski Coercion-Free Internet Voting with Receipts E-voting Requirements Tools and tricks Our scheme Anti-kleptographic measures Pairs = point to point verifiability Encoding details Pairs cut and choose I a vote for X , card identifier Id: four ciphertexts prepared: C (X , r , L), C (X , r , R ), C (Id , r 0 , L), C (Id , r 0 , R ) (two matching pairs). I in order to check: the voter asks to open ciphertexts from oder cards Mirosław Kutyłowski, Filip Zagórski Coercion-Free Internet Voting with Receipts E-voting Requirements Tools and tricks Our scheme Anti-kleptographic measures Pairs = point to point verifiability Encoding details Pairs and local verifiability I each ballot contains two pairs (ciphertexts) I I I the first pair encodes a vote – a voter is convinced about the vote value, but cannot provide a proof for a third party the second pair encodes an identifier for verification – the voter knows it after the tallying process, a voter I the pair of voter’s identifiers appears on the final Bulletin Board Mirosław Kutyłowski, Filip Zagórski Coercion-Free Internet Voting with Receipts E-voting Requirements Tools and tricks Our scheme Anti-kleptographic measures Pairs = point to point verifiability Encoding details Attempts of manipulation I successful vote replacement: I I I one have to find a pair which encodes a vote (and not an identifier) removing only a half of a vote or identifier can be detected! it is unlikely to find the matching halves if all ciphertexts are mixed Mirosław Kutyłowski, Filip Zagórski Coercion-Free Internet Voting with Receipts E-voting Requirements Tools and tricks Our scheme Anti-kleptographic measures Pairs = point to point verifiability Encoding details Decryption by multiple parties I an El Gamal ciphertext of M for public keys y1 , . . . yn (m · (y1 · . . . · yn )k , g k ) for a random k , I decoding requires cooperation of all holders of private keys corresponding to y1 , . . . yn , decoding must be performed as follows (c1 , c2 ) := (c1 /c2xi , c2 ) for i = 1, 2, . . . Mirosław Kutyłowski, Filip Zagórski Coercion-Free Internet Voting with Receipts E-voting Requirements Tools and tricks Our scheme Anti-kleptographic measures Pairs = point to point verifiability Encoding details Re-encryption knowing public keys y1 , . . . , yn , g, one can re-encrypt a ciphertext (a, b) = (m · (y1 · . . . · yn )ki , g ki ) of m by choosing ki +1 and computing: (a · (y1 · . . . · yn )ki +1 , b · g ki +1 ) which yields: (m · (y1 · . . . · yn )ki · (y1 · . . . · yn )ki +1 , gik · g ki +1 ) = = (m · (y1 · . . . · yn )ki +ki +1 , g ki +ki +1 ) Mirosław Kutyłowski, Filip Zagórski Coercion-Free Internet Voting with Receipts E-voting Requirements Tools and tricks Our scheme Scenario Cards Cancelling a vote Summary Our solution - high level scenario I a voter’s PC is running a voting application I a Ballot Generation Server – prepares cards I a Registration Server – checks voter’s identity and inserts ballots into the system I Mix-servers decode votes I on the last Bulletin Board an election results and identifiers will appear Mirosław Kutyłowski, Filip Zagórski Coercion-Free Internet Voting with Receipts E-voting Requirements Tools and tricks Our scheme Scenario Cards Cancelling a vote Summary Voting card, Identifier card I each card is a randomly shifted “list” of candidates I cards are indistinguishable – a voter’s PC does not know which one is a Voting card and which one is an Identifier card I the same operations are performed on both cards Mirosław Kutyłowski, Filip Zagórski Coercion-Free Internet Voting with Receipts E-voting Requirements Tools and tricks Our scheme Scenario Cards Cancelling a vote Summary Card verification 1. a voter (her PC) obtains n Voting, n Identifier cards and commitments to the values used in cards from Ballot Generating Server (BGS) 2. a voter chooses one of the cards and verifies the rest – BGS reveals shifts and values needed to check if a card is properly encoded ⇒ a voter knows (with probability 1 − n1 ) that a card which she will use is proper Mirosław Kutyłowski, Filip Zagórski Coercion-Free Internet Voting with Receipts E-voting Requirements Tools and tricks Our scheme Scenario Cards Cancelling a vote Summary Shifts – hiding information from a voter’s PC 1. a voter is informed about shift used in the unchecked card by an independent channel – phone line 2. a voter’s PC does not know shift used and does not know which card encodes votes and which encodes identifiers ⇒ voter’s PC will do not know a voter’s choice and will not be unable to change voter’s choice Mirosław Kutyłowski, Filip Zagórski Coercion-Free Internet Voting with Receipts E-voting Requirements Tools and tricks Our scheme Scenario Cards Cancelling a vote Summary Voting ballot I voting ballot is prepared from Voting card and Identifier card by voter’s PC – a voter chooses an appropriate row (she knows shift used in the cards) I a voter’s PC and a Registration Server changes some values and re-encrypts ciphertexts contained in a voting ballot ⇒ only a voter knows the identifier ⇒ BGS cannot trace votes Mirosław Kutyłowski, Filip Zagórski Coercion-Free Internet Voting with Receipts E-voting Requirements Tools and tricks Our scheme Scenario Cards Cancelling a vote Summary Cancelling procedure - advanced features I a voter casts a vote together with an anti-vote I I a vote is re-encrypted and appears on the first Bulletin Board, an encrypted anti-vote is kept by the Registration Server Mirosław Kutyłowski, Filip Zagórski Coercion-Free Internet Voting with Receipts E-voting Requirements Tools and tricks Our scheme Scenario Cards Cancelling a vote Summary Cancelling procedure - advanced features I a voter casts a vote together with an anti-vote I I a vote is re-encrypted and appears on the first Bulletin Board, an encrypted anti-vote is kept by the Registration Server I the previous vote can be cancelled by Registration Server only with cooperation with a voter (a voter must sign an appropriate message) I vote and anti-vote are unlinkable Mirosław Kutyłowski, Filip Zagórski Coercion-Free Internet Voting with Receipts E-voting Requirements Tools and tricks Our scheme Scenario Cards Cancelling a vote Summary Main features I coercion-freeness I global verifiability (randomized partial checking on mixing process, ballots correctly decoded) I local verifiability - every voter has “point-to-point” verifiability (in other schemes voter’s verification ends on the first Bulletin Board) Mirosław Kutyłowski, Filip Zagórski Coercion-Free Internet Voting with Receipts E-voting Requirements Tools and tricks Our scheme Scenario Cards Cancelling a vote Summary Disadvantages I fairly complicated idea for voters with low mathematical skills well suited for young voters, computer freaks I an independent communication channel necessary Mirosław Kutyłowski, Filip Zagórski Coercion-Free Internet Voting with Receipts E-voting Requirements Tools and tricks Our scheme Scenario Cards Cancelling a vote Summary Thanks for your attention! Mirosław Kutyłowski, Filip Zagórski Coercion-Free Internet Voting with Receipts