Remote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant

Transcription

1 Remote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant Roberto Araújo, Amira Barki, Solenn Brunet and Jacques Traoré 1st Workshop on Advances in Secure Electronic Voting Schemes VOTING 16 February 26th, 2016

2 Content 1. Previous Work 2. Building Blocks 3. Our Electronic Voting Scheme 4. Conclusion 2 Remote e-voting: Efficient, Verifiable and Coercion-Resistant

3 Previous Work (Juel, Catalano and Jakobsson, WPES 2005) JCJ formally defined the property of coercion-resistance, by considering possible attacks: constrain a voter to cast given or random votes force her to reveal her private data vote on her behalf force her to abstain Main idea: a coercer must be unable to distinguish a fake credential from a valid one. for N ballots, the tallying complexity is in O N 2 3 Remote e-voting: Efficient, Verifiable and Coercion-Resistant

4 Motivations Linear complexity Multiple elections Practical for real polls Completely anonymous AFT07 AT13 CH11 SKHS11 4 Remote e-voting: Efficient, Verifiable and Coercion-Resistant

5 Building Blocks Designated Verifier Proof (DVP) which cannot be transferred: Only the designated verifier can be convinced by this proof Non-Interactive Zero-Knowledge Proof of Knowledge (NIZKP): Enable a prover to convince a verifier that he knows some secret ElGamal Cryptosystem Algebraic MAC Scheme Sequential Aggregate MAC Scheme 5 Remote e-voting: Efficient, Verifiable and Coercion-Resistant

6 ElGamal Cryptosystem Given G = g cyclic group of prime order p private key x, public key pk = g x encryption of m: E pk m = g r, mh r decryption of E pk m : mh r gr x Properties: multiplicatively homomorphic: E pk m 1 E pk m 2 = E pk [m 1 m 2 ] distribution of the private key (i.e. the decryption) comparison of two ciphertexts via Plaintext Equivalence Test (PET): PET E pk m 1, E pk m 2 easy re-encryption: = 1 if m 1 = m 2 and 0 otherwise E pk m = (g r, mh r ) can be transformed in E pk m = (g r+r, mh r+r ) 6 Remote e-voting: Efficient, Verifiable and Coercion-Resistant

7 Algebraic MAC Scheme (Chase, Meiklejohn, Zaverucha, ACM CCS2014) Setup 1 k : Generate pp = (G, p, g, h) such that G cylic group of prime order p, where DDH is hard g, h two of its generators KeyGen(pp): secret key sk = x 0, x 1, x 2 optionally, the public parameters (C x0 = g x 0h x, X 1 = h x 1, X 2 = h x 2) MAC(sk, m 1, m 2 ): choose u randomly generate σ = (u, u ) where u = u x 0+m 1 x 1 +m 2 x 2 Verify(sk, m 1, m 2, σ): u 1 and u x 0+m 1 x 1 +m 2 x 2 =? u Deciding whether m, u, u = u x 0+mx 1 is a valid MAC on m is equivalent to the DDH problem. 7 Remote e-voting: Efficient, Verifiable and Coercion-Resistant

8 Our Sequential Aggregate MAC Scheme Setup: pp = (G, p, g, h) sk 1 = x 0, x 1, secret key of the first signer S 1 sk 2 = x 2, secret key of the second signer S 2 C x0 = g x 0h x, X 1 = h x 1, X 2 = h x 2, associated public parameters Computation of MAC on m 1 by S 1 and m 2 by S 2 : S 1 u, u = u x 0+m 1 x 1, m 1 S 2 w = u t, w = u u m 2x 2 t, m 1, m 2 Verification: w 1 and w =? w x 0+m 1 x 1 +m 2 x 2 receiver existentially unforgeable 8 Remote e-voting: Efficient, Verifiable and Coercion-Resistant

9 voters Our evote Scheme Receive credential in order to cast a vote 1. Setup 2. Registration 3. Voting 4. Tallying Issue credentials in a distributed manner during the registration step registration authorities coercers Force voters to make a particular vote and try to verify it Jointly manage the tallying phase tallying authorities 9 Remote e-voting: Efficient, Verifiable and Coercion-Resistant

10 Security Model Registration occurs through an untappable channel no adversaries at this step Votes may be posted anonymously Bulletin Board is universally accessible Attacker may: access to all public information corrupt a subpart of the election authorities coerce voters: requests secrets, forces a particular vote Voters trust their voting client. 10 Remote e-voting: Efficient, Verifiable and Coercion-Resistant

11 Set-Up Set-Up: 1. Setup 2. Registration 3. Voting 4. Tallying g, h, o generators of a cyclic group G of prime order p registrars R: share sk = (x 0, x 1 ), pk = (C x0 = g x 0h x, X 1 = h x 1) talliers T: share sk and an ElGamal keypair T, T Registration: credential s, u, u : s and u chosen randomly by R u = u x 0+sx 1 computed by R in case of coercion, fake credential: s, u, u (DDH assumption) 11 Remote e-voting: Efficient, Verifiable and Coercion-Resistant

12 Registration 1. Setup 2. Registration 3. Voting 4. Tallying R jointly compute (u, u = u x 0+sx 1 ) with s, u cooperatively selected and prove its validity through a DVP: s, u, u, DVP If a coercer asks to her credential, she can send a fake one: (s, u, u ) The DVP can only convince the designated voter! 12 Remote e-voting: Efficient, Verifiable and Coercion-Resistant

13 More about our Ballot Credential: (s, u, u ) where u = u x 0+sx 1 Ballot: E T v, w, w, E T w s, o s, P w, w is a randomized credential s.t. w = u l and w = u l P is a pair of NIZKPs of validity: E T v is an encryption of a valid vote the voter knows: the plaintext of E T w s the secret s, common both to E T w s and o s 13 Remote e-voting: Efficient, Verifiable and Coercion-Resistant

14 Voting (first election) 1. Setup 2. Registration 3. Voting 4. Tallying Vote under coercion: E T a, w, w, E T w s, o s, P Revote: E T b, w, w, E T w s, o s, P Bulletin Board E T a, w, w, E T w s, o s, P E T b, w, w, E T w s, o s, P 14 Remote e-voting: Efficient, Verifiable and Coercion-Resistant

15 Tallying Phase [1/5] 1. Discard ballots with invalid proofs 1. Setup 2. Registration 3. Voting 4. Tallying Bulletin Board (offline) E T b, w 1, w 1, E T w r 1, o r, P E T b, w 2, w 2, E T w s 2, o s, P E T a, w 3, w 3, E T w t 3, o t, P E T b, w 4, w 4, E T w s 4, o s, P E T a, z 1, z 1, E T z r 1, o r, P E T a, z 2, z 2, E T z s 2, o s, P 15 Remote e-voting: Efficient, Verifiable and Coercion-Resistant

16 Tallying Phase [2/5] 2. Remove duplicates votes ballots published using the same secret s 1. Setup 2. Registration 3. Voting 4. Tallying Bulletin Board (offline) E T b, w 1, w 1, E T w r 1, o r E T b, w 2, w 2, E T w s 2, o s E T a, w 3, w 3, E T w t 3, o t E T b, w 4, w 4, E T w s 4, o s E T a, z 2, z 2, E T z s 2, o s Possible policy: keep the last one 16 Remote e-voting: Efficient, Verifiable and Coercion-Resistant

17 Tallying Phase [3/5] 3. Reconstruction and checking of credentials 1. Setup 2. Registration 3. Voting 4. Tallying Bulletin Board (offline) E T b, w 1, w 1, E T w r 1 E T a, w 3, w 3, E T w t 3 E T b, w 4, w 4, E T w s 4 s E T a, z 2, z 2, E T z 2 1. The authorities cooperatively compute E T w, E T w x 0, E T w s, E T w s x 1 in order to obtain: E T w x 0 E T w sx 1 = E T w x 0+sx 1 2. Then, power C = E T w x 0+sx 1 /w to a fresh random α for the PET: D = C α should be equal to E T 1 17 Remote e-voting: Efficient, Verifiable and Coercion-Resistant

18 Tallying Phase [4/5] 1. Setup 2. Registration 3. Voting 4. Mix the ballots 4. Tallying Bulletin Board (offline) E T b, D 1 E T a, D 2 E T b, D 3 E T a, D 4 Mix Net Bulletin Board E T a, D 2 E T a, D 4 E T b, D 3 E T b, D 1 Re-encrypt and permute each row Published on the WBB 18 Remote e-voting: Efficient, Verifiable and Coercion-Resistant

19 Tallying Phase [5/5] 5. Identify valid votes by jointly decrypting D i : 1. Setup 2. Registration 3. Voting 4. Tallying If the plaintext is equal to 1, the ballot is valid and thus decrypted Bulletin Board (offline) E T a, D 2 E T a, D 4 E T b, D 3 E T b, D 1 Distributed decryption Results a a b 19 Remote e-voting: Efficient, Verifiable and Coercion-Resistant

20 Multiple Elections and Credentials Revocation For a second election, registrars R: jointly generate an election identifier e I compute a new pair of keys (x 2, X 2 = h x 2), shared with the talliers T publish an updated credential w, w for each eligible voter: (u, u = u x 0+sx 1 ) associated to the secret s becomes u t, u u e Ix 2 t = (w, w = w x 0+sx 1 +e I x 2 ) voting and tallying phases are unchanged 20 Remote e-voting: Efficient, Verifiable and Coercion-Resistant

21 Security A voter cannot prove her vote: false and real credentials are indistinguishable No forced abstention: votes cast using anonymous channel No forced randomization and impersonation: voter can use fake credential for false vote and cast another one later Resistance to shoulder-surfing: Re-vote policy: only the last might count Our voting scheme satisfies: - eligibility requirement through security properties of the MAC, - coercion-resistance property under DDH assumption. 21 Remote e-voting: Efficient, Verifiable and Coercion-Resistant

22 Conclusion a Sequential Aggregate MAC Scheme existentially unforgeable Our new voting scheme for remote elections is: publicly verifiable efficient (linear time complexity) coercion-resistant allowing multiple elections and credentials revocation 22 Remote e-voting: Efficient, Verifiable and Coercion-Resistant

23 Thank you