Improving Helios with Everlasting Privacy Towards the Public Denise Demirel, Jeroen van de Graaf, Roberto Araújo

Transcription

1 Improving Helios with Everlasting Privacy Towards the Public Denise Demirel, Jeroen van de Graaf, Roberto Araúo Fachbereich 20 CDC Denise Demirel 1

2 Helios Introduced 2008 by Ben Adida Web application for Internet voting Online accessible: Easy to use, free of charge, provides end-to-end verifiability Tool to support elections for companies, online groups, President of the Université Catholique de Louvain (2009) Princeton Undergraduate Student Government election (2009) Fachbereich 20 CDC Denise Demirel 2

3 Helios Election Process (1) 1. System initialization a) User creates election by setting parameters and list of eligible voters. b) Software generates election templates (e.g. ballot, key pair for threshold decryption). Helios Server Application 2. Vote Casting process a) Voter receives containing username, password, URL,... b) Single-page JavaScript application starts and downloads parameters and Voter Fachbereich 20 CDC Denise Demirel 3

4 Helios Election Process (2) 2. Vote Casting process c) Voter fills out the ballot, which is encrypted by the application. d) Hash of encrypted vote is shown to the voter. e) The voter has the option to audit. In this case go back to step 2c). f) Application clears scope, voter authenticates g) ID, password, encrypted vote and proofs are sent to the Helios server which responds with a success message. h) The Helios server sends the voter an containing the hash of the cast vote. Helios Server Application Voter Fachbereich 20 CDC Denise Demirel 4

5 Helios Election Process (3) 3. Tallying and publishing of votes Helios Server a) The Helios server publishes the Bulletin Board encrypted votes, hashes and proofs on the Bulletin Board. b) The Helios server computes the election outcome. Mixing + decryption + tallying Homomorphic tallying + decryption Voter 1: Voter 2: Voter 3: Voter 4: Election outcome Fachbereich 20 CDC Denise Demirel 5

6 Tallying and Publishing of Votes Voters Candidate 1 Candidate 2 Candidate n Voter 1 : Voter V Enc(t 1 1 ) : Enc(t 1 V ) Enc(t 2 1 ) : Enc(t 2 V ) : Enc(t n 1 ) : Enc(t n V ) Total Enc(t 1 ) Enc(t 2 ) Enc(t n ) Equals Enc( t 1 ) Enc( t 2 ) Enc( t n ) Vote is represented as vector t 1,, t l. Vote for candidate i is vector where t i = 1 and t k = 0 for k i. Each entry is encrypted individually using exponential ElGamal. Votes for each candidate are tallied homomorphically and decrypted. Decryption results in δ t (need to solve DL, but here values are small) Fachbereich 20 CDC Denise Demirel 6

7 Properties Individual Verifiability Voter Bulletin Board Universal Verifiability Correctness Voter 1: Voter 2: Voter 3: Voter 4: Computational Privacy Election outcome Fachbereich 20 CDC Denise Demirel 7

8 Computational Privacy Homomorphic Public-Key Cryptography e.g. Paillier, ElGamal Computational Assumptions Brute-Force Principle of free suffrage Fachbereich 20 CDC Denise Demirel 8

9 Helios Providing Everlasting Privacy Towards the Public Goal: Having all published data (Bulletin Board, receipts), even a computationally unbounded attacker cannot reveal the cast voting decision. Solution: Encryption of the cast voting decision using a One-Time-Pad. Challenge: How can a pair of voting decision and associated key be tallied homomorphically providing Verifiability and Everlasting Privacy regarding the published information? Fachbereich 20 CDC Denise Demirel 9

10 Encoding using Pedersen Commitments Cyclic group G Random generators g and h (log g h unknown and computationally hard) Encoding of vote t Z G : C t, s number s Z G. = g s h t with random Fachbereich 20 CDC Denise Demirel 10

11 Properties of Pedersen Commitments Computational Binding: Decrypting (opening) to a different value is impossible given that solving Discrete Log is computationally hard. C t 1, s 1 = g s 1 h t 1 = g s 2h t 2 g s 1 s 2 = h t t2 t1 2 t 1 g = hs1 s2 Additive Homomorphic: C t 1, s 1 C t 2, s 2 = g s 1h t 1 g s 2h t 2 = C t 1 + t 2, s 1 + s 2 Everlasting Privacy: The commitment scheme is unconditionally hiding Fachbereich 20 CDC Denise Demirel 11

12 Modified Election Process (1) 1. System initialization a) User creates election by setting parameters and list of eligible voters. b) Software generates election templates (e.g. ballot, key pair for threshold decryption, parameters for Pedersen Commitment). Helios Server Application 2. Vote Casting process a) Voter receives containing username, password, URL,... b) Single-page JavaScript application starts and downloads parameters and Voter Fachbereich 20 CDC Denise Demirel 12

13 Modified Election Process (2) 2. Vote Casting process c) Voter marks a choice, which is encoded using Pedersen Commitments. d) The Hash of the commitment is shown to the voter. e) The voter has the option to audit. In this case go back to step 2c). f) Application clears scope, voter authenticates g) ID, password, commitment, encrypted decommitment values and proofs are sent to the Helios server which responds with a success message. h) The Helios server sends the voter an containing the hash of the cast vote. Helios Server Application Voter Fachbereich 20 CDC Denise Demirel 13

14 Everlasting Privacy Additional Assumption: There exists a private channel between the user s browser and the server (e.g. by sending keys per mail). Additional Property: Everlasting Privacy towards the public. Attacking this version requires much more work. Helios Server v, w Application v*,w* u Key Trustees t*,s* Bulletin Board Fachbereich 20 CDC Denise Demirel 14

15 Modified Tallying Process 1 u 1 1 = α s 1(1) β t 1(1) u l 1 = α s l(1) β t l(1) : : : : V u 1 V = α s 1() β t 1() u l V = α s l() β t l() 1 v 1 1 = γ s 1 1 (r 1 (1)) N v l 1 = γ s l 1 (r l (1)) N : : : : V v 1 V = γ s 1 V (r 1 (V)) N v l V = γ sl(v) (r l (V)) N D(v 1 ) D(v l ) 1 w 1 1 = γ t 1 1 (r 1 (1)) N w l 1 = γ t l 1 (r l (1)) N s 1 = s 1 () s l = s l () : : : : V w 1 V = γ t 1 V (r 1 (V)) N w l V = γ tl(v) (r l (V)) N D(w 1 ) D(w l ) u 1 () t 1 = t 1 () t l = t l () = α s1 β t 1 u l () = α sl β t l decrypt and publish v 1 = w 1 = v 1 () w 1 () v l = w l = v l () w l () Public Helios Bulletin Board Helios Server (private Information) Fachbereich 20 CDC Denise Demirel 15

16 Modified Tallying Process 1 u 1 1 = α s 1(1) β t 1(1) u l 1 = α s l(1) β t l(1) : : : : V u 1 V = α s 1() β t 1() u l V = α s l() β t l() 1 v 1 1 = γ s 1 1 (r 1 (1)) N v l 1 = γ s l 1 (r l (1)) N : : : : V v 1 V = γ s 1 V (r 1 (V)) N v l V = γ sl(v) (r l (V)) N D(v 1 ) D(v l ) 1 w 1 1 = γ t 1 1 (r 1 (1)) N w l 1 = γ t l 1 (r l (1)) N s 1 = s 1 () s l = s l () : : : : V w 1 V = γ t 1 V (r 1 (V)) N w l V = γ tl(v) (r l (V)) N u 1 () t 1 = D(w 1 ) t 1 () t l = D(w l ) t l () = α s1 β t 1 u l () = α sl β t l Public Helios Bulletin Board decrypt and publish v 1 = w 1 = v 1 () w 1 () v l = w l = v l () w l () Note: The Message space of the Commitment and the Encryption Scheme must match. Helios Server (private Information) Fachbereich 20 CDC Denise Demirel 16

17 Parameters Need a commitment scheme with a matching semantically secure encryption scheme. Construction by Moran and Naor (Split Ballot): Paillier: N = p 1 p 2 where p 1 and p 2 are safe primes. Pedersen Commitments: Subgroup of Group Z 4N+1 having order N, where 4N + 1 must be prime Fachbereich 20 CDC Denise Demirel 17

18 Proofs 1) Public Proof - Proof of validity of the ballot 1) Each entry of the vector is either 0 or 1. Modification of proof of validity [CFSY96]. 2) Only one entry equals 1. Prove knowledge of l i=1 u i β 1 using Schnorr. 2) Private Proof - Consistency of the commitment and encrypted information Cut-and-Choose (Compare to [MN10]) Fachbereich 20 CDC Denise Demirel 18

19 Proof of Validity Prover Verifier v = 1 v = 0 α, r 1, d 1, w 2 R Z q α, r 2, d 2, w 1 R Z q B α s β B α s a 1 α r 1B d 1 a 1 α w 1 a 2 α w 2 a 2 α r 2(B/β) d 2 B, a 1, a 2 d 2 c d 1 d 1 c d 2 c c R Z q r 2 w 2 + sd 2 r 1 w 1 + sd 1 d 1, d 2, r 1, r 2 d 1 + d 2 c α r 1 a 1 B d 1 α r 2 a 2 (B/β) d Fachbereich 20 CDC Denise Demirel 19

20 Consistency Proof u = α s β t, v = γ s r N, w = γ t r N Show knowledge of t, s, r, r by Cut-and-Choose 1. Choose t, s, r, r and generate second triple u, v, w 2. Challenge: 0 or 1 3. If 0 publish t, s, r, r, if 1 publish t + t, s + s, r r, r r. 4. Check and 5. Repeat u u α s β t u = α s β t v = γ s r N w = γ t r N u α s+s β t+t v γ s+s (r r ) N w γ t+t (r r ) N v v γ s r N, w w γ t r N Fachbereich 20 CDC Denise Demirel 20

21 Consistency Proof u = α s β t, v = γ s r N, w = γ t r N Show knowledge of t, s, r, r by Cut-and-Choose 1. Choose t, s, r, r and generate second triple u, v, w 2. Challenge: 0 or 1 3. If 0 publish t, s, r, r, if 1 publish t + t, s + s, r r, r r. 4. Check and 5. Repeat u = α s β t v = γ s r N w = γ t r N u u α s β t Probability that two different values for s and t will not be detected is 1 u = α s+s β t+t 2 b v for γ b s+s iterations. (r r ) N w γ t+t (r r ) N v v γ s r N, w w γ t r N Fachbereich 20 CDC Denise Demirel 21

22 Future Work Improvements for booth voting: Principle of free suffrage. Everlasting privacy can be implemented also for electronic voting systems like Prêt à Voter, Scratch & Vote and MarkPledge. Cuvelier, Peters and Pereira s Efficient commitment scheme with matching encryption scheme based on elliptic curves (presented at SecVote 2012) Fachbereich 20 CDC Denise Demirel 22

23 Thank you Questions? Fachbereich 20 CDC Denise Demirel 23