>> Alias: Invisible cue. Thanks everybody for coming for the sixth and final series ender of
crypto with Senior Cryptographer Josh Benaloh from Microsoft Research. Raise your hand if
you been to every one of these in person. Okay, cool. Awesome. Good. Thank you. And in
the back, is that Sandy in the back?
>>: Yes.
>> Alias: Okay, cool. So what we're going to do just to give you a sneak at it is I’m going to give
you guys lock pick sets, not like the cheap ones though, like the pretty good ones. Not over like
the area where you have to sign off the tax thing but as close as I can get. So it will be a little bit
of time to order those and get those shipped to you all and our office mail list to you as well as
well as probably e-mail you since I have all your aliases. For everybody involved, both who's
been to any of the sessions, we're going to send out a questionnaire. I appreciate your
feedback on that so that Josh and his counterparts and people in security can be do more of
these more often as they’re relevant. So without further ado, one more round of applause for
Mr. Josh for all the contributions he's been doing for cryptography. Thank you.
>> Josh Benaloh: Thank you Justin, and welcome survivors. Sixth and final. All right. So let's
get going and get into sort of some of the interesting what you can do with this. Just as a
reminder if anybody missed the last session we talked about attacks of various kinds,
vulnerabilities, attacks, especially side channel attacks, lots of related things that can be done;
and we talked about some of the practical considerations that often give rise to these attacks,
how you can do a lot of the things that we need to do in cryptography as efficiently as possible.
So this time we're going to move on to some of the tools, the higher level things that can be
done with crypto, homomorphic encryption specifically. A few people asked me about bilinear
maps and pairings so I'm going to spend like two minutes squeezing that in, but I'm not going to
do much there just to give people a quick sense, secret sharing, zero-knowledge, and give a few
applications of these. The applications in particular, computing on encrypted data is becoming
a very hot field in a lot of ways if you think about it for very obvious reasons. If all your data is
in the cloud and it's encrypted what do you do with it? Just basically do use the cloud as just a
big storehouse and it can’t do anything or if you can actually encrypt on the data in the cloud
you can do a lot more, if you can compute on encrypted data in the cloud you can do a lot more
with it. The other thing I've been promising I'm going to talk a little bit about elections. It's a
good motivating example and it’s one near and dear to my heart. So I'll spend a little bit of time
on that.
So let me start on the computing on encrypted data application, and in particular, if you want
to work on data and do something with the data in encrypted form let's remember what
symmetric encryption typically looks like. Something of this sort where you’ve got sort of an
ugly function in here and you're just taking this data and making a mess of it. You're trying to
remove all structure; you're getting something that looks nothing like the original or anything
else. It's really hard to do anything with data that's been actively messed up as much as
possible. However, when we look at what we do for asymmetric encryption we've got nice
equations. We've got things like this for RSA where there's a nice mathematical description of
the relationship between the plaintext and the ciphertexts that we may be able to work with. Is
that a question?
So in particular RSA, excuse me, is multiplicative. And we mentioned this early on, a couple
months ago I think. Basically if you take an RSA encryption of one a message and an RSA
encryption of a second message and you literally just multiply these two together, multiplied
the mod n because everything's going on mod n here, literally multiply them, what you get if
you work it through is a completely valid encryption of the product of the two messages. Now
normally we put in all sorts of padding to prevent this from happening accidentally, but
sometimes we want to be able to do this, we want to be able to take the data and operate on
it. And here if we take this as raw RSA, take this data, take these two messages, in encrypted
form we can multiply them together and get a useful bit of information and a representation of
a computation. This computation, in particular, multiplication.
So RSA isn't the only example. There are a bunch of the functions like this. RSA, in particular,
has this multiplicative homomorphic property. Another very common function is the ElGamal
cipher. ElGamal is really just you do the Diffie-Hellman Key Exchange and you use that key as a
one-time pad effectively. You use that key and take the key and multiply it by your message.
So here's the message here being multiplied by what would come out of the Diffie-Hellman
result, and the recipient on the other end can sort of work this out and remove the key and just
get the message. And if you work this through there's a pair of values, but if you multiply things
appropriately, again, you get a multiplicatively homomorphic function also very commonly
used.
Now, there are some others. Koch-Weser McCauley came up with this function that looks like
this. It’s designed for encrypting just the single bit but it has some nice mathematical
properties and provability, so it was a really interesting function when it came out, and it has
the property that if you multiply two Koch-Weser McCauley encryptions you get an [inaudible]
of the bits. Okay? It can be useful for something.
Years ago, too many years, literally 25 years ago, I generalize this, [inaudible] 25 years, so here's
another function, just the straightforward generalization of that, but what you get is something
that's additively homomorphic. If you multiply two encryptions and this form the trick is the
message is in the exponent here. So with the message in the exponent, if you multiply two
things G to the M1 times G to the M2 it becomes G to the M1 plus M2. You get an additive
function.
This had some nice properties. One not so nice property was decryption is kind of cumbersome
with this. It’s possible, but it's kind of cumbersome. Some applications that's okay, some
applications you want to be able to decrypt. So Pascal Paillier came out about a dozen years
later with a generalization of this working mod end squared so you get some blowup in the
cipher text size but has the advantage that the decryption is much more straightforward and
easier to do, also additively homomorphic. So these are the most commonly used
homomorphic functions, but you can develop others. There's a whole host to choose from.
So we have these things that we can do. We can do additive, we can do multiplicative, what
we’d really like is something that does both. That was the Holy Grail for decades. If we could
simultaneously add data that's in encrypted form and multiply data that's in encrypted form
you can provably do everything. You can build out any function you want from just those two
operations. And it was long thought that that would be great, but it’s not possible. Nobody
was able to prove it but it was thought this structurally is just asking too much until five years
ago. Craig Gentry at IBM found a way to do this. Now a way to do this kind of in theory. I read
it as wildly inefficient. If you have another adjective that you could put there that's more
superlative put it there. Wildly in this case is about 25 orders of magnitude slower. So 10 to
the 25th power, I think modern processor does a couple billion instructions per second. Well,
this is a couple billion years to do one instruction at this pace. Yes it's possible, in theory really
interesting, but not quite practical for cloud computation.
But since then there's been more work done and things have gotten a lot better. It's still very
inefficient, we've shaved off a dozen or so orders of magnitude, it's still about 1 trillion times
slower than not working on encrypted data, but now you can do a cycle every maybe five
minutes or so, 10 minutes, something like that. We're getting there. What's more interesting
right now and we'd love to get this general form done, there are a lot of people working on this,
but what's more interesting right now is many special cases really are practical. You can't do a
full general computation of all sorts, but you can do a lot of specifics. And I'll quickly mention
one way of building an interesting specific and that comes from bilinear maps. Yep?
>>: What's the status of homomorphic encryption as resilient against quantum? I'm just
curious since you kept, can you give a one line summary of that?
>> Josh Benaloh: Oh, well, so let me roll that back a step and ask what's the status of
encryption that's resistant to quantum attacks? And pretty much all of the public key stuff that
I talked about is potentially vulnerable. If you built a good quantum computer you could factor.
That breaks RSA. You could compute discrete logs that breaks Diffie-Hellman. Some of the
lattice-based things that I talked about, the elliptic curve-based stuff also is based on discrete
logs. Some of the lattice stuff seems like it may be resistant so we might want to move that
way, I talked about lattice things I don't know, a month a half ago something like that, those
can resist. The ones that I showed just now, all these homomorphic ones, are based on these
mathematical properties that would fall if we were able to build a good efficient quantum
computer. However, the best quantum computers right now can factor 15. That's what we are
up to. There's some promising ideas, but there are also some fundamental barriers and it's
really not clear whether or not it's even possible. It might not be a technological limit; it might
be a limit of physics. We really don't know. But there are some promising directions that
people are going, and there is active work going on to talk about post quantum cryptography.
What do we need do to be ready just in case? And there's a lot of work in that area.
Okay. Let me spend a couple minutes digressing to talk about bilinear maps or pairings, people
like to talk about them sometimes. There are people in the room who know a lot more about
this than I do, but I'm going to give you a quick sense just to give you what I'm going to do. And
the idea is you have two groups, and we talked about mathematical groups when we talked
about elliptic curves, two mathematical groups and two elements presumably generate and
you have a function that takes elements of one group to another group with this property.
Now actually these two things could actually be separate groups. This could be G1 and G2, but
let's not complicate it. Let's think the simpler case of a pair of things from the same group
going into this other group, and it has this property that if you take G to the A and G to the B
you get the corresponding H to the AB in the other group.
Now a little explanation, Ron Revess[phonetic] showed it to me about a month ago as a good
way to try to explain it and I think it's a good way to just get a little bit of a sense of what's
going on. So first an important thing to note is that you have, if you compose with G to the
power one you get H to the A. So you can go from G to the A to H to the A if you have one of
these functions very easily. So if I take a bunch of these objects, any of these, I can go to the
corresponding object in the G group to the corresponding object in the H group. And the
reason I'm listing these objects is this is the Diffie-Hellman problem that we started way out on
early on. If you have G and G to the A and G to the B nobody knows a good way to get to G to
the AB from that. But if you have A or B, you generated one of these two, then you can get this.
This was the Diffie-Hellman Key Exchange. But nobody knows how to go from these three to
this one or these three to this one. But we can construct groups with bilinear maps such that
you can go from this pair to this in this other group. Okay?
I'm not going to go into any detail about how or why, but you can actually leverage this to do
lots of interesting things. One thing in particular is you can build a homomorphic encryption
function where you can do as many additions as you want and you get one multiplication kind
of for free. Somehow here's a slightly more complicated function that you could do. If you can
do most things in addition and you need to do one multiplication we can do that. And you can
go from there small numbers of multiplications now we can handle reasonably well. Fully
general computation, not so good, but many special cases we can handle.
Okay. So I'm going to go back and look at one of the simple ones for a minute and try to
motivate this application that I'm going to talk more about later. So suppose we have just a
simple additively homomorphic encryption function, the kind we had 25 years ago. And I want
to encrypt votes as one, encryption of one is a yes vote and encryption of zero is a no vote. All I
have to do now is homomorphically sum the votes and I get an encryption of the sum. So if you
think of this if you want to vote yes you encrypt one, if you want to vote no you encrypt zero,
and we post all these encryptions. Anybody can see them. And all I have to do is take them,
literally just multiply them together, decrypt, and you get the tally.
Okay? That's the basic idea. Now there's a lot that's missing here. First of all, who holds the
decryption key to do this, right? If I hold the decryption key and can decrypt in the end I can
also decrypt all the intermediate votes and see how everybody voted. Probably not such a
good thing. Who's actually doing the encryption? If the voters encrypt then the voters have to
have some devices that will do encryption. If they use their own devices there are these little
malware type issues that might get in the way, there's also coercion kinds of stuff because
somebody could give you their device to use and say you vote on this device or install
something that captures your vote and there are some problems there. How do we ensure that
only zeroes and ones are encrypted, right? Maybe I really want to vote yes so I'll encrypt 1
million, put that up there, and it gets summed up with all the zeroes and sorry, nobody else
voted anything but zero, but I voted 1 million. We win. So we have a few issues. And I'll get to
these later.
>>: If all the encrypted values are either one or zero then there are only two encrypted values,
right?
>> Josh Benaloh: Not if you use a randomized encryption. So yes, you're absolutely right, if we
use a deterministic thing like a straight RSA>>: Is there anything in a randomized encryption that is compatible with the homomorphic
encryption?
>> Josh Benaloh: Yes. Absolutely. So let me>>: That doesn't make sense to me.
>> Josh Benaloh: Let me go back a little bit. So this function I developed for, specifically for use
in elections. That was my motivation. That was my dissertation. So effectively what you could
think of as N is the vote here, zero or one, R is a random value, and it turns out if you multiply
two of these things you get some other random value to this power E times G to the sum. And
because of the way things are structured this random things to the power E can be pulled off at
the end, but there are many ways of encrypting the same message by just having different
random values here. That can do it, and ElGamal has the same property here for multiplicative.
You have a random value that's part of this. It’s just RSA that's completely deterministic.
>>: So does it keep all random values that were used?
>> Josh Benaloh: You can keep all the values. Another way, remember when I said decryption
is cumbersome? It would be a matter of figuring out what the random value, what the
aggregate random value would be.
>> [inaudible] once you go maintain>> Josh Benaloh: You can. If you do that then the encryption is easy. But if you don't keep that
then it's more work to figure out what the aggregate R would be but you can find out. With this
there's actually an easy way to strip away this R to the N if you know the factorization of N.
Regardless, you don't have to keep track of what R generated it.
Okay. Forward. There we go. Okay. So the next thing I want to talk about is a very valuable
tool called the secret sharing, has lots of applications, and it comes out of a basic mathematical
fact that if you take any K points on the plane as long as they have distinct X values, then you
can interpolate a polynomial through them of degree at most K minus one. So why do we care
about this? I'm going to show you the simplest case that's the easiest to remember. Two
points describe a line, right? You have two points, you can figure out the line that goes
between them. So what I'm going to do is start off with points on the plane and then I'm going
to take a secret, and my secret value is going to be over here. My secret value is going to be
zero in the X position and some Y value and I'm not going to tell you what this Y value is, that's
my secret. And now I'm going to draw a random line that goes through there. And I'm going to
give everybody in the room or everybody I want to share this with points along this line. Now if
later on any two people come together they can figure out what the line is, they can figure out
where it hits the Y axis, they can find that point. But if there's just one person than that point
could be anywhere, right? You don't know. It could be anything that you could draw a line
through those two points no matter where on the Y axis the secret is. So they're all completely
consistent, you literally have zero information at all. Even though you’ve got it in some sense
half of what you need, you’ve got one of two shares, but you’ve really got nothing. Okay?
So this generalizes beyond lines to arbitrary polynomials. So let's say this looks vaguely like a
degree four polynomial. So maybe I gave out points on this degree four polynomial. So any five
of these points is enough to figure out what the whole polynomial is and therefore figure out
what the secret is. But if you have only four of these points then you really have nothing
because any four of these points is consistent with any possible value here as a fifth point to
give you a degree four polynomial. So it's a very sharp a threshold in one of these things going
from zero information to complete information. Okay?
Once you have this way of sharing information such that you can build this sharp threshold you
can build a lot of tools out of it. So the simple way to work with this is just generate random
polynomials, here’s your secret, you have N people you want to share with, any K can
reconstruct, and you want to make sure that no fewer than K get any information whatsoever.
Instead of thinking of it as building the polynomial and points on a polynomial all you have to
do is pick a random coefficients, make S be your constant term because this P at zero is going to
be S, and then these are random values and you just give out of this at random points or even
consecutive points, P1 through N is fine. Very simple to do, very efficient, turns out to be also
very efficient to reconstruct some very simple interpolation methods and you can do this
geometrically over reals or rationals but this also works if you're doing all the computations
Mod P. So now we get back into computer science domain where picking a random rational
number is not an easy thing to do but picking a random or set of random values here in the
range zero to P or zero to P minus 1. That we know how to do, all those possibilities now are
equally likely, and all the possible secrets in the range zero to P minus 1 are equally likely until
you reach the threshold of information.
So this works for distributing a secret. You can actually do some interesting computations on
shares. It turns out, maybe I should've put in a slide for this, but if I give you shares to secret A,
and somebody else gives you shares to secret B, you can take your share to A and share to B
and add them and you’ve got a share to A plus B. If you work it out, basically polynomials in
some sense are linear, at least in that sense as operators they are that you get a share of just
the sum of the coefficients and everything works out. Wait a minute. Now the share of the
coefficients, that's not right. But the points just add up, everything works out well. Also, if you
multiply, the same thing happens. You get a share of the product, but the problem is that now
the degree of the polynomials grows so it takes more shares to reconstruct the polynomial and
get the secret. So it works really well for addition, if you’re going to do it for multiplication you
have to be able to deal with more shares, maybe correct and re-share things and there are
some checks for that.
Using the techniques like this and similar techniques you can develop threshold encryption.
Threshold encryption is a way of encrypting such that you have N shareholders of the key. If
any K of them are willing to cooperate, they don't have to actually give their share, their key up
or whatever piece of key and reconstruct the key, they can each perform some function on the
cipher text, and after the last one has performed it or after they put together their pieces of the
decryptions then you’ve decrypted the cipher text.
This has the application in elections that we were talking about before, right? You don't want
one person to be able to decrypt all the votes, you normally have a board of elections that
judicates disputes or what not, maybe there are five people on the board, maybe it takes a
majority to resolve things, so you do a 3 out of 5 threshold encryption scheme on all the votes
and now any three of the members can get together and decrypt the sum, but it also takes
three of them to collude to figure out how anybody voted. Or maybe you want it to be four out
of five. You probably don't want it to be five out of five because then if somebody doesn't like
the way things are going, refuses to decrypt or loses a key or whatnot, you kind of lose the
election which is not a good property. So this threshold thing allows you to have some
robustness and still have some protection so no one or two or whatever threshold you set
people can figure out how people voted.
Okay. You can also build group signature schemes. Group signatures are sort of what you
might think of when you are signing something important, maybe a bank is signing something
or something where there are corporate requirements and you want, this is a check for 100,000
dollars so it takes three officers to sign off on it out of the company’s six officers, say. But you
can do it in such a way that you can check yes, this has been signed by a sufficient number of
people but the person receiving the signature has no idea which of the legitimate people. So
some three of this group of six did sign it and that's all I need, but I don't know which three.
And you can even generalize this in ways so that it can be the president of the bank and one
vice president, or three vice presidents on their own, or two vice presidents and three tellers,
or whatever it is. You can generalize it and form that such that some people have more power
than others in this. But you still, all you get is yes, this has met the requirements to be a valid
signature, I don't know exactly which set of people signed it. Okay? Again, you can see useful
applications there.
All right. One other tool I want to spend some time talking about. You may have heard of this
sort of bizarrely-named called zero-knowledge. And let me give you a little bit of a sense for
what it is. Any questions before I go on to this because this is going to take a few minutes.
Okay. So zero-knowledge really comes out to believing something without seeing it. Seeing is
believing, well, let's do it the other way. And if we were in a small group, I've done this, if there
are a half-dozen people, I’ll do this with actual cards, but I have to simulate this here. So it will
be a little less convincing, but you’ll get the idea. What I want to claim is that all of these cards
imagine I've dealt out, are red. And one thing I could do is to show them to you, see they’re all
red, but no. I want to convince you that they are red or at least that a card is red without
you're seeing it. So what I'll do is deal out these cards and have you pick a card. Now if
PowerPoint were really nice and dynamic you could pick a card and I flip that card, but I have to
simulate this. So you just picked card two and I turned it over and show it’s a king, particularly
a red king. And then you pick card let's say five and I turn that over, and you pick card three
and I turn that over, and you pick card one and I turn that over, and I remember the sequence
right. I've done this before where I've gotten it wrong and it's embarrassing. Okay.
So what do you have at this point? When you get through this, I've answered all of your
challenges correctly. I've shown you that these cards really are all red. So this last card. Now,
you've never seen this card or the other side of this card but still you have a pretty good reason
to believe that it's red. You're not 100 percent sure, but this cut and choose kind of worked and
you’re pretty convinced that it's red. In particular, this is an interesting kind of belief because
it’s nontransferable. If somebody else walks into the room and you say yeah, I'm sure that card
is red and that person just walked in and said okay, convinced me that it's red. I can't. I know
that it's red, or I have reason to believe it's red, but I have no way of convincing you that it's
red.
>>: Josh, is the essence of why I believe and the next person doesn’t believe in the fact that I
had the choice of which ones to sample?
>> Josh Benaloh: Yes. You put this [inaudible] in this proof. So if there's somebody who was
there the whole time but thinks you might be colluding with me, say, then they have no reason
to believe it either. But either way, if you are isolated from others at the time and you're
making the choices then you can't transfer this. If there is sort of a wire, somebody is
whispering to you choices to make, then that person will be convinced and maybe you won't.
>>: Is there a way that we can share some secret>> Josh Benaloh: There is. It becomes cumbersome. There are a few things. There's actually a
more general approach to this of using the choices themselves to generate the randomness.
It's called the [inaudible] mere heuristic and I’m not going to say anything more about it unless
you're interested, but it's a really clever way of handling this and making one of these zeroknowledge proofs non-interactive so that anybody could just look at the proof after and be
convinced of it.
>>: Is the non-transferability a feature or an anti-feature?
>> Josh Benaloh: It is usually a feature, sometimes it’s an anti-feature. Think of it in the
election context, it’s a feature of you’re being convinced that this is your vote without your
being able to show it to somebody else even if you want to. But there are contexts where it's
not a feature. So let me show you what this looks like. Of course, in the crypto scenario in that
context there are no cards there are encryptions, but it’s basically the same thing. I show you a
bunch of encryptions, I claim these are all encryptions of the string red and you pick one, let's
shortcut it, you pick the one to stay, I'll reveal the others. Now the way to the open these other
things I'm decommitting in some way. So one thing I could do is if these are encrypted I show
you the randomness that was used so that you could check yourself if this is a public-key
encryption you can repeat it. There are other ways of opening up commitments. You think of
one-way hash functions. If I hash the string red together with a random value then if I give you
the random value you can check and say, oh yeah, that is hash of red and a random value not
hash of black and a random value. But until I give you that key, that random value, it's
committed but closed. So there are lots of ways of opening this. Let's just think of this in the
encryption context where this is a randomized encryption, I give you the bits of randomness,
and I open these other values and show you these were all red, so again you have good reason
to believe this is red.
Now in this case this is a small case, how good your reason is, your confidence is, is not great.
There's a one in five chance that I could've to do you in this case. So let's look at a somewhat
bigger case. Maybe I could have 100 of these; and what I say is okay, here's an interactive
process, I claim that these are all red or encryptions of red or whatever. And you pick one and
identify that, and then I open up all the others and show you all the others are red and you
think okay, that one is probably red too and now since you would've had to, if I'm proving to
you, I would've had to guess in advance which of these hundreds that you would pick in order
to cheat you my chance of getting away with a black card under there is really just one in 100,
right? If I really want to cheat you then I have to guess your random pick in advance, and I've
got a one in 100 chance of doing that which is better, but this goes up only linearly and we’d
like to do a lot better than this in getting high confidence. These are weak interactive proofs.
Question, or>>: Yeah. So you begin with a title zero -knowledge.
>> Josh Benaloh: Yeah.
>>: What is the thing, I don't have knowledge of the remaining cards>> Josh Benaloh: Yes.
>>: But now I have knowledge of the other 99>> Josh Benaloh: Right.
>: Where are you hiding something?
>> Josh Benaloh: So the idea is that these other 99 are uninteresting in some way. They might
be random.
>>: How did you manage to put the only interesting data behind the card that I happened to
pick?
>> Josh Benaloh: Well, it might be>>: [inaudible] interesting bit.
>> Josh Benaloh: No. Let me, it will become clear later on, but let me just give sort of a
preview. Suppose I want to generate, I want to produce an RSA key with some properties. And
if you factor it you can see that oh yeah, this is the two primes had certain properties. Now I
generate 100 things with these properties, 99 of them are going to be thrown away, the
hundredth you believe also has these properties but that hundredth is still protected. So that's
one approach to this. But I still want to do better than this one in 100. What I want to do is
instead of this where you challenge me by picking one value and I've got a one in 100 chance of
guessing the value in advance and hiding the right thing under there, I'm going to say what
you're going to do is pick a subset of these 100 things. And I want to make it so that the only
way that I can get away with cheating is if I can predict your exact subset. Now there's a one in
two chance on this one, and a one in two chance on this one, and a one in two chance on this
one of my guessing correctly. There are 100 things here. The chance of my guessing correctly
which subset you pick is one in two to the 100th. Roughly 10 to the 30th. Okay. This is not
going to happen. This is like, you picked a key and encrypted something, I just guessed your
key. It could happen in theory, hopefully doesn't happen in practice otherwise I'm not doing
my job right.
Okay. So if we can do this this is much, much stronger. And there are ways. And let me give
you a little bit of intuition before I show you what this would actually look like. So the way to
think of this is doing what's called a zero-knowledge proof of knowledge. And suppose what I
want to do is prove to you that I can get from some starting point, it might be a graph, it might
be some sort of a map or some complicated structure, a maze of some sort, I can get from the
start to the finish, I know a way of getting there; but I don't want to show you the way of
getting there. That's the zero-knowledge part. I'm protective of this. This is valuable. What I
can do, this is mostly just intuition, is pick 100 intermediate points somewhere in this large
complicated graph or structure and wait for you to challenge. So you'll challenge by picking a
random subset of these things and say you identify those and for anything that you identify I’ll
show you that I know how to get from the start to there, and everything else that you didn't
pick I'll show you that I know how to get from these intermediate points to the finish.
Now if there's any single case, any single example where I can get both from the start to a
point and from that point to the finish, then I can get there. But giving you this information I
haven't shown you any path from the start to the finish. Suppose I want to cheat you. Well,
since in every case you challenged me I gave you the correct response, you showed you that I
could give you the path that I was supposed to, then if I were in even one case able to answer
the opposite way, then you know that I can get from the start to the finish. So the only way I
could possibly have cheated you and not be able to get from the start to the finish is if I know
exactly in advance what choices you're going to make and then I can structure things so here's
something I know how to get how to the finish from, here's something I know how to get from
the start, I think I did this backwards, but anyway. I can get to this from the start, so I’ll create a
point here that I can get to from the start, I'll create a point here that I can get to the finish on
etc. and give these points, I still don't know how to get from the start to the finish but I can
convince you that I do if I guess in advance exactly what set you're going to pick.
>>: So to convince me that you're going from the start to finish you're asking not only how to
get from the start and finish but how to get from start in every point in the set.
>> Josh Benaloh: I picked these points. These are intermediate points that I picked. So this is
intuition right now. I'll give you a more structured form of this in a minute. But let me start off
with a more direct problem that you might run into. I claim to have a private key corresponding
to a known public key. So there may be a certificate of some sort that's been issued in my
name and the person with the certificate and with this private key is supposed to have access
to some resources. This is a very common thing. I should be able to get into this bank account,
I should be able to order some merchandise, or order some action be taken, or have access to
some data or whatever. So here's my certificate, this is showing that I should be able to get
there if I have the corresponding private key. How do I show you that I have the corresponding
private key? Well, one way is I can give you the corresponding private key. You say okay, well,
yeah I guess so, all right, good. You check it, you check that it matches the public key, it works,
great, you let me in. Not so good next time because now you have the private key it doesn't
work so well.
So here's a somewhat better method. Maybe I prove you my ability to decrypt a message of
your choice. That shows you that I really do presumably have the private key because you
encrypted with the public key, I can decrypt, you believe it. Okay, except now I'm being an
Oracle. Maybe you’ve got this message that you really want to decrypt, you've been, you're in
the NSA maybe or whoever, you’ve been wanting to decrypt this for a long time and here I
come along saying okay, I'll decrypt one thing for you. Great. That's not good. And you can
hide this in various ways so that it's not obvious to me that I'm decrypting something that might
be of value to you. So I don't want to just decrypt some message of your choice. What I want
to do is something a little bit more sophisticated. I want to decrypt the message of your choice
but only after I'm sure that you already know the decryption. So it’s zero-knowledge for you.
You will not learn anything from my decrypted this. Okay? How can I do this? Well, let's go
back to this is sort of graph case.
I start off with this encrypted value that you gave to me. You showed me this value; you
wanted me to decrypt it for you. What will happen is you will also create 100 more dummy
encryptions of things that you don't care about and I presumably don't care about. It doesn't
matter. These are all your encryptions of other things. And I will challenge you. I'll pick a
random subset of your dummies, your dummy encryptions, grab those and say okay, prove to
me that you really did have decryptions of these. And you open them and say okay, I believe it
on those, what about the rest? What I'll say is for each of the rest you should show me that
you know M times the decryption of this thing. So here’s this encrypted message, here's this. If
you have both M times M2 and M2 then you have M. And you've convinced me that you're
able to get the decryptions of anything that I asked you to decrypt. So if you had the
decryption of this and you had this than you do already have M. Those two things together give
me that confidence of you must already have the encryption of M, you must already have M
itself so now I'm willing to give you M because you presumably already know it.
And in fact, if this is a homomorphic encryption function we can save a step and do this the
other way around. What can happen is you give me encryption of M, I give you a bunch of
these dummies, and I'll decrypt for you without ever opening M. I'll just prove to you that I
know the decryption of this. I prove to you, you give me E of M, I prove to you that I know M
without ever giving you M by I give you a bunch of these dummies, you challenge me, and I'll
open things according to your challenges and you can check that these are correct because this
has a valid encryption of E of M times E of M2 which you can generate on your own if it's
homomorphic. So you can save a step there, but only a quick step. But this gets at the idea.
There are other kinds of zero-knowledge proofs, also very powerful, can do a lot of things, very
high confidence that certain things are true. Okay. Yeah. Question.
>>: Couldn’t we use this [inaudible]?
>> Josh Benaloh: Well again, then I would be signing something, where did it come from? If I'm
signing my own, something that I chose to sign then you might say well, maybe I got this from
somebody else who is really has the key and I just got that person to sign something last week.
If I'm signing something of your choice then I'm signing something that you've just given to me
and I don't maybe it's a contract, a pledge to give you 1 million dollars. So you’ve got that same
thing of before I sign it I want to know that it's okay, in some sense. And you want to be sure
that it's not some old thing, you want it to be fresh, so you want to give it to me, but I don't
want to just sign something that you gave to me. So you have exactly the same thing coming
up in that case.
>>: So I’m trying to understand the distinction between zero-knowledge and zero-knowledge
proof of knowledge. Why isn't this called zero-knowledge? Why is this called zero-knowledge
proof of knowledge?
>> Josh Benaloh: Well, in this case what I'm just proving, in this little piece of what I'm proving
is I know the decryption of this value without actually revealing this value.
>>: Okay.
>> Josh Benaloh: Okay? It's one kind of the zero-knowledge proof. There are zero-knowledge
proofs that don't have this structure at all. I can show you that I can distinguish between things
of a certain kind without giving you too much information and prove to you that certain graph
problems are solvable, graph isomorphism or graph non-isomorphism are classic cases.
>>: Those would be called zero-knowledge proof of distinguishability?
>> Josh Benaloh: Some of them are zero-knowledge proof of distinguishability. In general, it's
all just zero-knowledge proofs. This is just one class of zero-knowledge proofs.
Okay. So I've left just enough time to get back to the election example because I really want to
do this. Okay. The threshold homomorphism was able to get that the problem of who can
decrypt. These zero-knowledge proofs can get at the other problems that I mentioned. You
can use them so that I as a voter can go up to a device and it can encrypt on my behalf and I can
be sure that it's encrypting the right thing. I can be sure that it's encrypted red or whatever
party that is or whatever candidate that is without it revealing to me the details that will allow
me to go to another person and show this other person how I voted. Also, you can use this is
zero-knowledge process to show everybody that this really is an encryption of red or black or
zero or one and not an encryption of 1 million and make sure that it’s a legitimate election.
So let me give you the detailed application that I've been working on. Two sessions ago, May 2
I guess it was, not the last one, I ran out of this room and went directly to the airport, went
down to Travis County, Texas where we are working on an election project. Now, Travis
County, Texas is one of I think 249 counties in Texas. It seems like a small thing, except if you
look inside Travis County, that's Austin. There are 1 million people there. It's not quite that
small. There’s a project that we are working on, very interesting requirements, I won't go into
all the details of why we're doing it this way, but we are building one of these cryptographically
verifiable election systems for Austin. And other counties are starting to get really interested
for reasons I'll get into in a minute.
So let me show you with the process looks like. What we've designed is a voter, we'll go in, sign
in to vote, get some sort of a token, and go up to a ballot marking device. Basically, a tablet. In
fact, probably a win8 tablet with nice TPM and all sorts of nice features, but there are a lot of
reasons why win8 tablets work really well here, but basically use this device to make selections.
Nice full-featured device, you can make your choices, check them, change them, people who
have accessibility needs can go use headphones, just plug them into a USB port, whatever,
there are all sorts of things that are really nice and easy to do here.
This isn't voting. This is marking a ballot. So what happens when you're finished with this and
you say okay, I'm happy, I want to vote, if you get a receipt. This receipt has three parts. It has
actually in clear text what’s sometimes called a ballot summary. This is a list of the choices that
you’ve made. It's not the full ballot of all the possible choices; it’s just that these are the
selections I’ve made so it's quite compact. You get the encryption, because the whole point
was that we have an encrypted ballot so here it is in 2-D barcode, and you get some sort of a
take-home receipt. You could take home the entire encryption, but really anybody's going to
want to deal with is just probably a hash of the encryption. Just something short, a hash code
of some sort, a one-way hash, okay?
What a voter can do is take this receipt, remove the take-home part perforated, this could also
come as two separate pieces of paper or one as the ballot summary encryption, one is your
take-home receipt, take that off and with this thing, haven’t voted yet, you've one of two
choices, either you cast that ballot or you spoil that ballot. Casting that ballot means go over,
drop it into a ballot box. Part of this system is every polling site has a ballot box; the voter
actually cast the vote by dropping that piece of paper in the ballot box. It doesn't count if it
didn't make it into the ballot box. We now have a paper record of if anybody wants to check
the paper. Here it is; it’s in the ballot box. Scanner in the box actually reads the ballot number
so we know yes, that ballot’s in the box, electronically the ballot captured by the ballot marking
device, that encryption can go back over the local network to the host machine and be
preserved. It’s not cast if it doesn't make it into the ballot box.
What's the other choice? Spoiled, which is go back to the poll worker and say, I'm not happy.
I looked at this ballot summary, I’ve changed my mind, I want to vote differently, or for
whatever reason I'm not happy. A spoiled ballot acts as a challenge in one of these interactive
proofs. In is sort of the subtle way that doesn't have to be in voter’s faces, but anybody who
actively wants to gain confidence that this is an appropriate encryption can spoil a ballot or
two. A spoiled ballot means a voter takes this ballot to the poll worker, gets a new voting
token, can retain the receipt and even copy the spoiled ballot if desired, and go home after
repeating the process as many times as desired. Anything else has not been voted. Okay?
So what we have at the end of this process? Here's the verifiable record that comes out.
We’ve got all the cast ballots in encrypted form; they’re posted publicly on a public website.
We’ve got all the spoiled ballots and their decryptions together with any keys, any randomness
necessary to decrypt them. So you as a voter, what are you likely to do with your receipt?
Probably crumble it up and throw it away. That's okay. It's okay if 99 percent of voters do that.
Some small fraction of voters might check, go on the website, take a look at the receipt, make
sure oh yeah, my ballot is up there. If you're really diligent and you spoiled the vote, oh yeah,
my spoiled vote is up there and it decrypted the way I was expecting it to. That's the check.
That's sort of this cut and choose, this yes, it's red. It opened to the color I was expecting, to
the vote I was expecting. You're probably only doing it once or twice at most, but there are a
lot of voters out there. This list doesn't have to be very long to gain pretty high confidence.
>>: How do you know that the spoiled ballot is correct?
>> Josh Benaloh: You have>>: If I brought my receipt, I would know that what I thought should've been on there is on
there>> Josh Benaloh: Yes.
>>: But everybody else's spoiled ballot>> Josh Benaloh: Yeah.
>>: I have no way of knowing if it’s correct.
>> Josh Benaloh: You're responsible for checking your own ballot. Part of the record is this,
and what will be checked by any election verifier out there is this association, and I’ll get to this
a little bit more in a minute, and that all of these decryptions are correct. So you don't have to
check that this decryption matches. You just check that this is what you're expecting and sort
of it’s part of the election record that this is consistent with that according to this [inaudible].
So you can imagine that election verifiers are written by the candidates, probably the
candidates parties maybe, election media, sorry, the broadcast media, special interest groups,
League of Women Voters, ACLU, whatever, anybody who’s interested. And it's not that hard. A
professor at Rice who was part of this project assigned to his first year programming tech class
the task of writing election verifiers for this kind of a system. Two-week project, most first year
programming students were able to do this. So not that bad, and you can sort of download as
many election verifiers as you want, run as many as you want, or what most voters will do is
believe the results. That's okay. You have your choice. You can choose who to trust here.
So just quickly, how does this process work? Well, what we have is encrypted ballots. You
can’t see what's in there. They’re encrypted. Okay. Let's take a look. This might be what
they’re encryptions of. Let's make a little room. If we take these encryptions and multiply
them together we have been additively homomorphic function. So that product matches the
sum and we get exactly what we should get there. Now that's not what's actually seen. What's
seen is this, these are encrypted, but at the end of the process the requisite number, the
threshold number of election officials can come along and decrypt this aggregate value, provide
the randomness so that you can check, anybody can check that this really is a correct
encryption of this aggregate value that matches all of these things, provide all this, and you’ve
got a verified election, okay? Yep?
>>: How do I verify that those [inaudible] ballot scores are actual voters [inaudible] some
malicious>> Josh Benaloh: Good point. So the way that I prefer doing this is there's also a name next to
each of these. This is my ballot. I can check this and then anybody can check and say, wait a
minute, that person died last year or moved away or whatnot. It's preferred that this be done
with actual names. There are many reasons why people are squeamish about doing it that way.
>>: Sure.
>> Josh Benaloh: So what we are actually doing in practice in this case is these things are
associated with the take home receipts and there are other more traditional checks that the
right number of ballots are in place, everybody is signed in, that's what the first step was, you
can get a count of the people who have signed in, you can check this against the count of
posted ballots, everybody has the ability to actually check that their posted ballot is there. Now
in King County when you mail in a ballot we have the process where you can check online and
say oh yeah, my ballot’s been received, it's been counted according to the election office. It's a
claim that they've made. There's no real confidence that you have. Here, you can check and
say yep, there is my ballot, it’s there, it is actually part of the count. And you get that
confidence. Yeah.
>>: Kind of similar, is there a way for me as a voter to prove to the verifier that my ballot should
have been cast? Like I put it in the ballot box?
>> Josh Benaloh: Not explicitly. The way to think of this is audit mechanism. You can tell if
something's gone wrong; you can't necessarily correct it if it's gone wrong. You can shout and
complain and wait a minute, I've got this receipt, look at this, it's a legitimate receipt, where is
my ballot? If you're the only one doing that then people might say well, maybe it's a forgery or
some sort, do some forensic analysis on it, maybe not, whatever. If thousands of people are
saying this, they've got this paper record; something really seems to be wrong this is going to
require an investigation. But at least you know. In current systems you’ve got no idea. Put the
ballot in the box, go home, close your eyes, here's the count. See you in four years. That’s as
much as you can verify. Here you at least you can see when something's gone wrong. Yeah.
>>: Is it possible to make each vote more secure than the aggregate sum or does that require
trusting [inaudible]?
>> Josh Benaloh: Secure in what sense? Private?
>>: Less decrypted.
>> Josh Benaloh: With this system, no. With this system no, and it's hard to imagine a way that
it could be because imagine that what I do is the trustees come together but they’ve just
removed this last vote from the process and they decrypt without that last vote. Then they
decrypted an aggregate, but by doing that and decrypting with that vote in and without that
vote in they know what that last vote is. So, in some sense that’s as decryptable as the tally if
you can decrypt aggregate tallies.
>>: Like if you sign on the ballot as I put in the ballot box then I have a way to prove to you the
custody of my ballot.
>> Josh Benaloh: Potentially. It turns out signatures don't help a lot here because any
malicious device is going to give you a bad signature. So now if you go home with this and you
come back and say I was cheated they'll say well, that signature’s not right. So you have to
have a way of checking the signature in real-time to make that a useful [indiscernible]. Yep.
>>: So the focus here seems to be to protect against fraud.
>> Josh Benaloh: To protect against, to ensure that the tally is correct.
>>: Right. And then the board will verify that his vote was accounted for correctly.
>> Josh Benaloh: And that all recorded votes were properly tallied.
>>: Right. So is there a way to, in a different country, a different place you might also need to
be protected against coercion.
>> Josh Benaloh: Yes. That's very important here. If we don't want to protect against coercion
then it's really easy. We just open this up and publish the list with the names. This is all
designed so that you have protection against coercion because you are casting your vote, in this
particular scenario it’s in a monitored poll site, people are ensuring that there's nobody over
your shoulder while you're having this device create a ballot on your behalf, create an
encrypted ballot, and you can't decrypt that ballot. So you can’t to show it to a third-party.
You’ve got this nontransferable zero-knowledge proof, effectively.
>>: So if [inaudible], so for that to happen I should believe the [inaudible]. Is that right?
Because if I take the token out of the polling booth>> Josh Benaloh: Token is the randomness. The token that I showed you at the very beginning
of the process>>: Sorry. I meant the receipt.
>> Josh Benaloh: The receipt is just the receipt of the encrypted value. The receipt doesn't
allow it to be decrypted.
>>: The plaintext.
>> Josh Benaloh: The plaintext, that stays in. There are the two things that you receive. The
ballot summary, the plaintext, that goes in the ballot box. If that didn't make it to the ballot
box it's not a vote. So if you took it home, that's not how you voted because you didn't vote.
So you have that. Is there another?
>>: [inaudible] some sort of structure here this also seems easy to like if I somehow squeeze in
some noise into that thing, I invalidate everything in some sense, right? I mean>> Josh Benaloh: If you manage to get one ballot with 1 million here>>: If I have [inaudible] like something happens>> Josh Benaloh: Yep.
>>: Then everybody throws up their hands and say oh, I don't know what happened.
Something's wrong.
>> Josh Benaloh: So it shouldn't happen. There's a lot here to try to keep that from happening,
There should be an interactive proof that every one of these ballots is legitimate. So one in two
to the 100th chance that illegitimate ballot gets through, but there are other mechanisms. We
built in a postelection audit mechanism and we've got that paper trail. If anybody ever cares,
there's a still that box of actual ballots that people can go through.
>>: [inaudible]. So I mean I could go home and just take a marker and printer and make
random noise and encrypt what I want but I might not go well in that process. So is there also a
signing [inaudible] something like that?
>>: How does the ballot box know that it's a fake?
>> Josh Benaloh: So the ballot box is on a local network. So what's happening is the ballot box
is communicating with the ballot marking devices and it's says okay, here's the ballot ID that's
active right now, let me know. You should probably see it within the next few minutes, let me
know when you do, and I'll record that ballot as now being a cast ballot. So that's where the
process is. It’s all done locally. This is not Internet connected. This is a local network.
>>: Is that where the token ties in?
>> Josh Benaloh: The token is just, the lingo here is a ballot style. You can walk into a polling
site that might have thousands of different local races for different jurisdictions and the token
is just which local races are you eligible to vote for. The way they do it in Travis County is you
can go into any polling site anywhere in the county from anywhere and there may be ballots
different ballots available. So that's what that’s for. Yeah.
>>: So I want to know what sort of key material is needed not only to decrypt but to encrypt
this.
>> Josh Benaloh: Public. It’s all public key materials. So the public keys of the trustees,
effectively. So nothing sensitive. Yeah.
>>: [inaudible] follow the intention of evidence here. So the cast ballots you're showing the
encrypted form but not the actual votes? The trustees have the key but they’re decrypting it
and they could post decrypted posts if they wanted to or trust the trustees. What's the
motivation for not just posting the individual mappings between cast ballot and list and
individual votes if the voter’s name is not on there?
>> Josh Benaloh: That can be done. There is a coercion threat called the pattern voting. The
idea is that I want you to vote for me as mayor. And there are these little judgeship races and
county dog catcher races at the bottom of the ballot. And I want you to vote for this judge, this
judge, this judge, in this particular pattern. And there are so many little races out there that I
can assign you one pattern and everybody else a distinct pattern. And then I say your vote had
better show up with this pattern, had better show up for me as mayor or you're going to lose
your job. And that's the thing we have to protect against.
>>: [inaudible] casting separate ballots for each race?
>> Josh Benaloh: Yeah. Effectively what happens is they get split up per race, and do we
actually do post the decrypted for post audit election purposes we post a list of the individual
votes that are cast, but the ballots that they are associated with are shrouded. They are
encrypted or hashed, committed to; and for postelection auditing processes we can go and pick
random votes and say, here's this list that says there were 32,000 votes for that candidate, let's
pick this one and find the paper ballot that’s supposed be associated with it and we can do that,
but we don't want to have that list associated with the actual ballot numbers open because
then you could piece together the ballots into this pattern voting trick.
>>: Is there a mailing solution or do you have to physically go there to vote?
>> Josh Benaloh: This is designed as an in person system. There are mail-in ways of doing
similar things. Right now what we're doing here is any remote ballot just gets remade and
added to the system. You don't have an opportunity as an individual voter to check that your
ballot, if it's remote, has been entered properly. Eventually we want to do that, but first pass
that's not part of the system. So, two more slides.
So why do we do this? Well, current technology we have to trust things with current election
systems. You have to trust the people that manage your votes. You have no choice. If they’re
corrupt, you might know they’re corrupt and hey, it’s the mayor, give me your votes>>: [inaudible].
>> Josh Benaloh: Yeah, right. The equipment and its manufacturers you have to trust and
that's a big problem, growing problem because often the officials just sort of bring in the
equipment people and say, we don't know what's going on, you tell us what happened. The
process is used. With this method, what I'm showing you here is you can eliminate this trust.
You don't have to trust anybody. Or, if you don't really understand the crypto or don't want to
the check yourself, you still have the benefit because you get to choose who to trust. You
choose your candidate or your party or your favorite news media or whoever else rather than
these are the people you have to trust and if you don't like it go take a walk. Okay? Yeah.
>>: Don't you [inaudible] trust the officials since they hold the decryption keys?
>> Josh Benaloh: You trust privacy in the collective trustees of the election. So if the trustees
of the election all collude they could reveal your vote. In fact, if the ballot marking device is
corrupt it could reveal your vote because it could retain the randomness that it used in
generating the encryption and then supply it to the third-party. So there is trust for privacy.
But the integrity of the election, the actual tallies being correct, is absolute. You don't have to
trust anybody.
>>: Is there any tie between user’s identity and everything that goes from ballot marking device
on?
>> Josh Benaloh: In this system, no. Once you vote then your ballot ID is retained but your
identity is not, but you do go home with a receipt that somebody could say okay, give me the
receipt. I also have all the decryption keys, I'll check all this. Yeah.
>>: Sorry to make you answer this question again, how am I sure that all the votes are
legitimate?
>> Josh Benaloh: You mean zero, one legitimate or from legitimate people?
>>: [inaudible] I know matches and it’s all good, but how much all the other ones corresponding
to legitimate votes?
>> Josh Benaloh: So there are two kinds of legitimate here. There's does this vote match my
intentions, my chosen selections? And that's up to each voter to check. But is this vote from a
legitimate voter is another question? My preferred way of doing that is we do have a list of
names next to every vote and then it's a matter of public record. You can just sort of check and
look and see, check your neighborhood. There are people who do canvassing regularly and
check the voter rolls in close elections and who's actually voted. But in lieu of that right now
with this system where we don't have names posted it’s more traditional processes of there’s a
list of people who've signed in, here are the people who voted, here are the actual votes, the
numbers match, and we get it that way. Yeah.
>>: So [inaudible] the election trustees have the private keys required to decrypt the file
homomorphic tally?
>> Josh Benaloh: Yes.
>>: They then keep that a secret. How do we verify the results of the homomorphic tally
decrypts to the actual results?
>> Josh Benaloh: It’s a verifiable decryption. What’s actually released is not just the decryption
but the randomness, the random component so that anybody can take the public encryption
function, the decryption, and the random value and encrypt and say yep, here's the encryption.
If I take these two things, encrypt, I get that. So this is a correct encryption.
Okay. Last slide. Apologies for running over. This is good. I appreciate the interest. Another
benefit of this is cost. And this is where a lot of the county, Travis County wants to do this
because of good election integrity. They really seem to care about doing things right. There are
a bunch of other big counties in Texas that have suddenly gotten interested in this, basically
because what they're doing is this traditional method, which is they got this proprietary
equipment that's gone through elaborate certification processes, and it's not clear the
certification has much value. But there’s been all this certification, it's expensive to certify, it's
expensive to purchase because this is proprietary stuff, expensive to maintain, we are changing
the model here. You're not certifying the election equipment anymore and then closing your
eyes and hoping that it’s still good, we are certifying actual elections. Doesn't matter what the
equipment is. So we can use cuts. We can use off-the-shelf tablets. Much cheaper. A lot of
these other counties are saying hey, cheaper, that’s good. This wasn't my intention getting
involved in this, but as I mentioned earlier when the analysis was done by people at Rice on
what the best voting terminal was, they came out with by far win8 tablets are the best thing for
this. So, hey, great. I'm happy about that.
>>: Was that big funds?
>> Josh Benaloh: Big>>: Funds?
>> Josh Benaloh: Well, large display, long battery life, peripherals, being [inaudible], lots of USB
ports, TPM is a nice thing to have so that you can have confidence that the right code is running
for privacy reasons, for other things, there are a lot of benefits to having a win8 tablet. And
also they're cheaper than some of the alternatives. So it seems like a very good choice. Now
we're not going to make or break the company on this, but it's a bonus.
Okay. I've gotten to the end. Any final questions? Yes.
>>: I have a final question. This is not [inaudible] but you have a lot of experiences voting. So in
the previous slide, the one where you actually said they would have to trust the officials and
cryptography allows us to [inaudible], your audience are people who science, they are
interested in science. So that’s the audience. So it just feels like you're fighting a losing battle
>> Josh Benaloh: So many people who have said, well yeah, you don't have to trust election
officials, but you're asking me to trust cryptography instead. That’s worse. Or even
mathematics or something like that. My answer to that is at least with this you can choose who
to trust. You’re not forced to trust these people, you don't have to learn the mathematics, but
you can trust, if you like Fox News, you can trust Fox News. Or whoever.
>>: Fox News is[inaudible].
>> Josh Benaloh: I missed that.
>>: I said that only works if Fox News has a mathematician. If your particular community says
well, this is a bunch of hocus-pocus>> Josh Benaloh: So an election verifier>>: But Fox News already does that.
>> Josh Benaloh: Yeah. It’s true. A legitimate election verifier app has two outputs, two
possible outputs. One is yes this verifies, but the other is not no, this doesn't verify. The other
is no, this doesn't verify because this step here is supposed to be A plus B and it's not. And
anybody should be able to check. Wait a minute, here's the point. You can get away with it, I
tried it, it didn’t verify so I don't believe it. You shouldn’t buy. Yeah.
>>: So I think I know what your answer is but I just want to make sure. So did you say that
anybody can take only what's published and [inaudible] homomorphic encryption and decrypt
it and say this tally is correct?
>> Josh Benaloh: Not anybody can do it. Only the election trustees can collectively decrypt the
aggregate tally and then prove that it's correct in a way that anybody else can verify.
>>:. How do they prove it?
>> Josh Benaloh: By releasing the associated randomness. So think of, I should've spent more
time on this, I apologize. But what you can do is think of a public encryption as encrypting two
values, the data and a random component. And those two together encrypt to form the cipher
text up here. Now, if I take this and decrypt it I could just give you the data but you have no
idea whether it's correct or not. But if I also give you the randomness then you can check
yourself by re-encrypting and saying, the randomness together with the data that does
correspond to that.
>>: So the [inaudible] private key>> Josh Benaloh: Absolutely not. They should not ever. Okay. Yes.
>>: So what do you think about voting schemes like [inaudible] they have [inaudible]
certificate?
>> Josh Benaloh: Estonia is broken. Estonia has been very proud of their Internet voting
system for a few years. They got a little too loud about claiming it's great, and a couple of
friends and colleagues went over and if you look in the news just last month they went over
and showed how easy it was to break the Estonia election system just before the European
elections so that is completely vulnerable, you can create any tally you want, it's not that hard
even. And there were people in Estonia who really knew this. There were people who
understood this and tried to get them to do it right and failed. So now this is very public, and of
course there's a lot of embarrassment and there's a lot of distrust of these people who have
come in and broken their system, but it's getting some attention. So there have been people
who have tried Internet voting, and there have been countries that have tried Internet voting.
For the most part they're not doing a good job. And there are some states that are starting to
do some Internet voting. We do know how to do it well; it's not being done well. Yes.
>>: So do you see any flaws in the system? Do you see any weaknesses?
>> Josh Benaloh: I see a lot of benefits in this system as is. There are still some issues. The
biggest thing that I would like to have that’s not here in when I showed you is if I see corruption
or, corruption isn’t the right term, I see that I've been cheated, my ballot has not been posted
or I see that it's posted, I tried to vote for Adams, I spoiled it and what you posted was a spoiled
vote for Jefferson. So during the interactive proof you claimed it all red and I challenged you
and turn over a card and it came out black. Okay. Now I know there's malfeasance going on
and I know there’s cheating. I don't have any way to prove that to a third-party because that's
indistinguishable in this system from I really didn't ask for a vote for black and it gave me a vote
for black. So having evidence of malfeasance would be a useful thing to add.
>>: [inaudible] display your ballot you’re going to keep the label thing>> Josh Benaloh: You keep the labeled thing, but only you know who it was that you voted for.
So you mean the ballot summary?
>>: Yeah, you’ve got a cute sheet of paper that came out a marking sheet.
>> Josh Benaloh: Right.
>>: And it's got the name of it; it’s got Jefferson on it.
>> Josh Benaloh: Yeah. It does.
>>: It's a question of master data there. What’s the master data, the encrypted data or the
printed plaintext.
>> Josh Benaloh: Yeah. And it could be that the encryption is actually an encryption of Adams
even though it prints Jefferson.
>>: Right. So the point is if you go and you look around the website and the encryption of the
barcode was Adams but it says Jefferson on the sheet of paper now you can go to the election
officials and say hey, why don’t you guys decrypt this ballot and you'll see it doesn't match up?
>> Josh Benaloh: You’ve got a good point that I hadn't realized. But I think what you have to do
is you have to find the piece of paper in the ballot box because that’s>>: Well, it’s not in the box because this was a spoiled ballot, right? So I've got to take it home.
>>: But could you actually make a copy of a spoiled ballot and change the names?
>>: The spoiled ballot still has its plaintext on it you can prove that it doesn't match.
>> Josh Benaloh: Yeah, it does. You're right. If you can, if there's good providence of that
piece of paper and forensically this is legitimately printed, yeah. I hadn't realized that. Thank
you. That was very useful for me. Okay. Good.
>>: [inaudible]?
>> Josh Benaloh: No. So there are still, this is something that I’ve been concerned about a lot
lately, great, great news, but basically, we've done all this work for a century and a half on this
notion of what's called the Australian ballot which is this very sophisticated process that we just
take for granted, don't even realize what's going on. But the process is we vote privately in a
publicly monitored environment. And that's supposed to thwart coercion. And it worked for
150 years. It was invented in the 1850s; it worked pretty well that there are people there to
watch that you're not being coerced when you fill out of your ballot and you close up your
ballot and drop it in the ballot box. That doesn't work when people are wearing cameras
everywhere. And it turns out there are some really serious attacks with glasses, with cameras
on the bridge of the nose, and all sorts of things and we've got, there are some ways in which
we might be able to deal with them, but it makes things much harder. But that's a whole other
area that I’d love to deal with.
>>: So [inaudible] force, coerce someone wearing glasses to prove they’re wearing them the
correct way?
>> Josh Benaloh: Yeah. You could certainly. You're an employer. I want the videotape
tomorrow or you lose your job. Yeah. It is possible to do that very efficiently too in a largescale. I can just, I have 100 employees. I don't have to review all of them. I can review two or
three of them, you're still going to do it because you're in threat of losing your job. So, anyway.
Okay. So one final thing before we wrap up is there is a survey if you want to respond. This is
like the worst thing in the world is to give a URL that you can't click on here. But if you go to
consensus I think all you need to do is, or just remember that and we will I think try to mail this
out to everybody whose name we have, so we got that at least, and if you're watching
remotely, okay, you have time to copy slowly but just go to consensus and then you can fill in
the rest pretty easily. That's the most important thing.
>>: And if you don't have access to the survey contact Josh.
>> Josh Benaloh: Yeah. Let me know. I think I checked there is an Everyone box but I checked.
So I think we've got that.
>>: Is that secure?
>> Josh Benaloh: Nope. This is purely trust them. It is supposedly anonymous, but who knows.
Anyway, thank you very much.