Masked Ballot Voting for Receipt-Free Online Elections by broverya84

VIEWS: 8 PAGES: 35

									Masked Ballot Voting for Receipt-Free Online Elections

             Roland Wen and Richard Buckland

             School of Computer Science and Engineering
                 The University of New South Wales
                          Sydney, Australia
               {rolandw,richardb}@cse.unsw.edu.au


                        VOTE-ID 2009




                                                          1 / 35
Outline


Background
   Receipt-Freeness
   Designing Receipt-Free Schemes


Masked Ballot Voting Scheme
  Overview
  Voting Scheme


Discussion




                                    2 / 35
                             Background   Receipt-Freeness


Receipt-Freeness in Online Elections



    Online elections have great potential but serious concerns remain
    Elections have unique and challenging security requirements
        Secret ballot prevents bribery and coercion
        ⇒ Voters can lie to 3rd parties
    Receipt-freeness: voters cannot prove how they voted
        No receipt (evidence) for the vote




                                                                        3 / 35
                             Background   Receipt-Freeness


Why Is Receipt-Freeness Difficult?


 1. Electronic data is easy to copy
        ⇒ Easy to produce electronic evidence for the vote
 2. Plausible there could be a powerful adversary who intercepts all
    Internet communication (eg packet sniffing by ISPs)
        ⇒ Verify evidence

    Need secret information that prevents adversary from verifying
    evidence
        ⇒ Strong assumptions during the election
        Hard to realise assumptions in practice




                                                                       4 / 35
                          Background   Designing Receipt-Free Schemes


Example: A Flawed Scheme
   Hypothetical voting scheme: voters and authorities only communicate
   via the Internet




                                                                        5 / 35
                              Background     Designing Receipt-Free Schemes


Example: A Flawed Scheme
   Hypothetical voting scheme: voters and authorities only communicate
   via the Internet
             VOTER


                                           Internet
      vote
       42
                     ballot
              E
    random           1337              Gromit casts                           AUTHORITIES
      20                                  1337




                                                                                            6 / 35
                              Background     Designing Receipt-Free Schemes


Example: A Flawed Scheme
   Hypothetical voting scheme: voters and authorities only communicate
   via the Internet
             VOTER


                                           Internet
      vote
       42
                     ballot
              E
    random           1337              Gromit casts                           AUTHORITIES
      20                                  1337




                                       ADVERSARY




                                                                                            7 / 35
                                           Background      Designing Receipt-Free Schemes


Example: A Flawed Scheme
   Hypothetical voting scheme: voters and authorities only communicate
   via the Internet
             VOTER


                                                        Internet
      vote
       42
                     ballot
              E
    random           1337                              Gromit casts                         AUTHORITIES
      20                                                  1337

                        vote
                         41
                              random
                                19



                                                       ADVERSARY           You lying dog!
                                                                             Gotcha!
                          vote
                           41
                                              ballot
                                       E
                      random                  9009
                        19                   ≠ 1337




                                                                                                          8 / 35
                          Background   Designing Receipt-Free Schemes


1. Untappable Channels Approach
   Untappable channels: adversary cannot intercept messages




                                                                        9 / 35
                           Background       Designing Receipt-Free Schemes


1. Untappable Channels Approach
   Untappable channels: adversary cannot intercept messages
                                                                               AUTHORITIES


                       Untappable channel
                                                                             42        1337
                              vote      ?       ballot                       41        9009
         VOTER                                                               ...       ...



                                                                       vote        ?         ballot




                                                                                                      10 / 35
                                Background        Designing Receipt-Free Schemes


1. Untappable Channels Approach
   Untappable channels: adversary cannot intercept messages
                                                                                     AUTHORITIES


                            Untappable channel
                                                                                   42        1337
                                   vote       ?       ballot                       41        9009
           VOTER                                                                   ...       ...



                                                                             vote        ?         ballot
    vote           ballot                 Internet
            ?
     42            1337
                                      Gromit casts
                                         1337
                                                                                     AUTHORITIES




                                                                                                            11 / 35
                                          Background        Designing Receipt-Free Schemes


1. Untappable Channels Approach
   Untappable channels: adversary cannot intercept messages
                                                                                                    AUTHORITIES


                                    Untappable channel
                                                                                                42         1337
                                             vote       ?         ballot                        41         9009
           VOTER                                                                                ...        ...



                                                                                             vote      ?         ballot
    vote           ballot                           Internet
            ?
     42            1337
                                                   Gromit casts
                                                      1337
                   vote                                                                             AUTHORITIES
                    41
                                                            Gromit
                                                             1337
                vote        ??   ballot
                                                                              Is this the
                                                   ADVERSARY                 real table?
                                                                           ...I'm stuffed!
                       vote               ballot
                                 ??
                        41                1337?
                                                                                                                          12 / 35
                             Background   Designing Receipt-Free Schemes


Problems with Untappable Channels


   Difficult to implement in practice
       Internet susceptible to eavesdropping by well-funded adversary
   Resolving disputes
       If voter claims authority is dishonest during the election, who is lying?
   Distributing trust among multiple authorities
       Voter must know identity of at least one trusted authority to lie safely
       Voter will be caught out if lying about messages from a corrupt
       authority
       ⇒ Typically have to assume no authorities collude with the adversary
       to bribe or coerce voters




                                                                             13 / 35
                          Background   Designing Receipt-Free Schemes


2. Anonymous Channels Approach
   Anonymous channels: adversary cannot identify senders




                                                                        14 / 35
                          Background   Designing Receipt-Free Schemes


2. Anonymous Channels Approach
   Anonymous channels: adversary cannot identify senders
                           Untappable channel                           REGISTRAR
          VOTER
                                           Gromit is
                                              86




                                                                                    15 / 35
                              Background    Designing Receipt-Free Schemes


2. Anonymous Channels Approach
   Anonymous channels: adversary cannot identify senders
                               Untappable channel                              REGISTRAR
             VOTER
                                                Gromit is
                                                   86
      vote
       42
                     ballot                                                  Election start
              E
    random           1337
                                           Anonymous channel
      20

                                                                             AUTHORITIES
                                                    86 casts
                                                     1337




                                                                                              16 / 35
                              Background      Designing Receipt-Free Schemes


2. Anonymous Channels Approach
   Anonymous channels: adversary cannot identify senders
                               Untappable channel                                REGISTRAR
             VOTER
                                                  Gromit is
                                                     86
      vote
       42
                     ballot                                                    Election start
              E
    random           1337
                                           Anonymous channel
      20
      vote                         99 casts                                    AUTHORITIES
       41                           9009              86 casts
                     ballot
              E                                        1337
    random           9009
      19




                                                                                                17 / 35
                                          Background         Designing Receipt-Free Schemes


2. Anonymous Channels Approach
   Anonymous channels: adversary cannot identify senders
                                            Untappable channel                                   REGISTRAR
             VOTER
                                                                 Gromit is
                                                                    86
      vote
       42
                     ballot                                                                   Election start
              E
    random           1337
                                                        Anonymous channel
      20
      vote                                        99 casts                                    AUTHORITIES
       41                                          9009              86 casts
                     ballot
              E                                                       1337
    random           9009
      19
                              I am
                                99
                                     vote                                            Who are
                                      41                                            86 and 99?
                                         random
                                           19
                                                            ADVERSARY
                                                                                      Is Gromit really 99?
                                 vote
                                                                                          ...I'm stuffed!
                                  41
                                                   ballot
                                           E
                              random               9009
                                19
                                                                                                               18 / 35
                            Background   Designing Receipt-Free Schemes


Problems with Anonymous Channels



   Difficult to implement in practice
       Hard to guarantee anonymity over Internet
       Eg mix-nets still require untappable channels between voters and
       mix-net
   Problems remain with offline untappable channels
       Resolving disputes
       Distributing trust




                                                                          19 / 35
                          Background   Designing Receipt-Free Schemes


3. Trusted Randomisers Approach
   Trusted randomisers: generate secret randomness




                                                                        20 / 35
                                Background   Designing Receipt-Free Schemes


3. Trusted Randomisers Approach
   Trusted randomisers: generate secret randomness
               VOTER


      vote
       42
                       ballot
                E
                       1337

      Untappable channel
      random
        20

             RANDOMISER




                                                                              21 / 35
                                Background     Designing Receipt-Free Schemes


3. Trusted Randomisers Approach
   Trusted randomisers: generate secret randomness
               VOTER


                                             Internet
      vote
       42
                       ballot
                E
                       1337              Gromit casts                           AUTHORITIES
                                            1337
      Untappable channel
      random
        20

             RANDOMISER




                                                                                              22 / 35
                                        Background      Designing Receipt-Free Schemes


3. Trusted Randomisers Approach
   Trusted randomisers: generate secret randomness
               VOTER


                                                     Internet
      vote
       42
                       ballot
                E
                       1337                         Gromit casts                         AUTHORITIES
                                                       1337
      Untappable channel
      random
        20

             RANDOMISER            vote
                                    41



                                                                             What is the
                                                                           random value?
                                                    ADVERSARY
                                                                            ...I'm stuffed!
                            vote
                             41
                                           ballot
                                    E
                        random               ?
                           ?


                                                                                                       23 / 35
                             Background   Designing Receipt-Free Schemes


Problems with Trusted Randomisers




   A lot of trust involved
       Hard to guarantee local channel is untappable
       Smart cards are tamper-resistant not tamper-proof
       Single point of failure




                                                                           24 / 35
                 Masked Ballot Voting Scheme


Masked Ballot Voting Scheme


Background
   Receipt-Freeness
   Designing Receipt-Free Schemes


Masked Ballot Voting Scheme
  Overview
  Voting Scheme


Discussion




                                               25 / 35
                Masked Ballot Voting Scheme   Overview


Approach


   How to avoid strong assumptions during the election?
       Voters and authorities can only communicate via the Internet
       Adversary can intercept all messages
   ⇒ Voter must construct ballot without any assistance during the
   election
       ⇒ Adversary can verify the voter’s private data against eavesdropped
       ballot
       ⇒ Private data must appear to correspond with any possible vote
   How does a voter indicate the actual vote?
       Vote must depend on secret information obtained before the election




                                                                         26 / 35
                Masked Ballot Voting Scheme   Overview


Masked Ballot Voting



   Assumption: untappable channels available only before the election
   (offline registration stage)
       All communication during the election is posted to authenticated
       bulletin board via Internet
   Purely a voting scheme
       The output is an encrypted vote for each voter
       Generic: independent of the vote encoding
   Subsequent counting scheme calculates the result




                                                                          27 / 35
                   Masked Ballot Voting Scheme      Voting Scheme


Registration Stage

                                                 Untappable channel   REGISTRAR


                       VOTER                             mask
                                                          11




    A registrar provides each voter V with a secret mask
     1.   Randomly select a mask m
     2.   Encrypt m → m
     3.   Post (V , m ) to bulletin board
     4.   Construct designated-verifier proof d that m is an encryption of m
     5.   Send (m, d) to V via an untappable channel



                                                                                  28 / 35
                         Masked Ballot Voting Scheme      Voting Scheme


Voting Stage

                                                       Untappable channel     REGISTRAR


                              VOTER                            mask
         vote                                                   11
          42
                   –     31
         mask                                                               Election start
                                                         Internet
          11                  E   ballot
                random            1337
                                                       Gromit casts         AUTHORITIES
                  20                                      1337




   A voter casts a masked ballot for a vote v using mask m
     1. Encrypt (v − m) → v − m
     2. Construct proof p of plaintext knowledge
     3. Post ( v − m , p) to the bulletin board via the Internet


                                                                                             29 / 35
                        Masked Ballot Voting Scheme      Voting Scheme


Unmasking Stage

                                                      Untappable channel     REGISTRAR


                             VOTER                            mask
        vote                                                   11
         42
                  –     31
        mask                                                               Election start
                                                        Internet
         11                  E   ballot
               random            1337
                                                      Gromit casts         AUTHORITIES
                 20                                      1337




   For each voter, any party can unmask the ballot v − m
       Encrypt with threshold homomorphic cryptosystem, eg Paillier
       Use additive homomorphism to combine m posted by the registrar
       and v − m posted by the voter
        v −m       m = v

                                                                                            30 / 35
                          Masked Ballot Voting Scheme            Voting Scheme


Thwarting the Adversary
                                                              Untappable channel            REGISTRAR


                               VOTER                                  mask
          vote                                                         11
           42
                    –     31
          mask                                                                            Election start
                                                                Internet
           11                  E     ballot
                 random              1337
                                                              Gromit casts                AUTHORITIES
                   20                                            1337
                                     vote
                                      41
                                            mask
                                             10
                                                random
                           vote                   20
                            41                                                        Is Gromit's
                                      –     31                ADVERSARY            real mask 10?
                          mask                                                      ...I'm stuffed!
                           10                        ballot
                                                 E
                                   random            1337
                                     20




    Gromit cannot lie about input 31 (v − m)
         But can lie about m and hence v

 1. Attacks after ballot is cast
 2. Attacks before ballot is cast
                                                                                                           31 / 35
                 Masked Ballot Voting Scheme   Voting Scheme


Proving Receipt-Freeness


   Moran and Naor’s simulation-based model
       Receipt-free against an adaptive adversary
   Ideal world captures properties of ideal voting protocol
       Only allows adversary to force voters to abstain or vote randomly
       Simulate the real protocol
       ⇒ Real protocol is as receipt-free as ideal protocol
   Voting protocol has a coercion-resistance strategy
       Describes how voters thwart the adversary’s instructions




                                                                           32 / 35
                              Discussion


Discussion


Background
   Receipt-Freeness
   Designing Receipt-Free Schemes


Masked Ballot Voting Scheme
  Overview
  Voting Scheme


Discussion




                                           33 / 35
                             Discussion


Limitations of Masked Ballot Assumptions


   Secret information (mask) sent before election cannot be re-used
       Less convenient for voters
   Voters cannot provide proofs of vote validity
       May require extra work for authorities to remove invalid votes before
       the counting
   Voters can still prove if they abstained or voted randomly
       Coercion-resistance property requires anonymous channels
       So only receipt-freeness is achievable




                                                                           34 / 35
                              Discussion


Summary


   All approaches to receipt-freeness use untappable channels to protect
   some secret information
       Different trade-offs
   Masked Ballot Voting Scheme achieves receipt-freeness with a more
   practical assumption during the election
       Only relies on standard cryptographic components during the election
       Shifts problematic assumptions to before the election
   Many good cryptographic solutions
       Biggest remaining problem is to resolve practical issues
       Eg authentication, DOS, malware, shoulder-surfing




                                                                         35 / 35

								
To top