Cryptography for electronic voting Bogdan Warinschi University of
Cryptography for electronic voting Bogdan Warinschi University of Bristol 1
Aims and objectives • Cryptographic tools are amazingly powerful • Models are useful, desirable, and difficult to get right • Cryptographic proofs are not difficult • Me: Survey basic cryptographic primitives and their models • Me: Sketch one (several? ) cryptographic proofs • You (and me): Ask questions • You: I assume you know groups, RSA, DDH 2
Useful, desirable, difficult to get 3
Design-then-break paradigm • • …attack found …no attack found Guarantees: no attack has been found yet 4
Security models Mathematical descriptions: • • What a system is How a system works What is an attacker What is a break Advantages: clarify security notion; allows for security proofs (guarantees within clearly established boundaries) Shortcomings: abstraction – implicit assumptions, details are missing (e. g. trust in hardware, sidechannels) 5
Voting scheme v 1 v 2 vn 6
Complex elections • 2 candidates; majority decision • N candidates: • Limited vote: vote for a number t of candidates • Approval vote: vote for any number of candidates • Divisible vote: distribute t votes between candidates • Borda vote: t votes for the first preference, t-1 for the second, etc 7
Wish list • Eligibility: only legitimate voters vote; each voter votes once • Fairness: voting does not reveal early results • Verifiability: individual, universal • Privacy: no information about the individual votes is revealed • Receipt-freeness: a voter cannot prove s/he voted in a certain way • Coercion-resistance : a voter cannot interact with a coercer to prove that s/he voted in a certain way 8
Today: privacy • Privacy-relevant cryptographic primitives • Commitment schemes, blind signature schemes, asymmetric encryption, secret sharing • Privacy-relevant techniques • Homomorphicity, rerandomization, threshold cryptography • Security models: • for several primitives and for vote/ballot secrecy • Voting schemes: • FOO, Minivoting scheme 9
Tomorrow: (mainly) verifiability • What’s left of privacy • Verifiability-relevant cryptographic primitives • • Zero knowledge Applications of zero knowledge • The Helios internet voting scheme 10
Game based models Query Answer Challenger 0/1 11
A VOTING SCHEME 12
Fujisaki Okamoto Ohta [FOO 92] Voters Election authorities 1. Registration phase 2. Voting phase 3. Tallying phase Tallying authorities 13
FOO - Registration My vote 14
FOO - Registration Special glue Can only be unglued with 15
FOO - Registration Carbon paper 16
FOO - Registration 17
FOO - Registration John Smith 18
FOO - Registration John Smith : registered voter who didn’t vote yet John Smith 19
FOO - Registration Valid! 20
FOO - Registration Valid! 21
FOO - Registration Valid! 22
FOO – Voting phase Valid! 23
Valid! Anonymous Channel FOO – Voting phase 24
Anonymous Channel FOO – Tallying phase Valid! 25
Anonymous Channel FOO – Tallying phase Valid! 26
Anonymous Channel FOO – Tallying phase …and the winner is: Valid! Vote 1 Vote 2 Valid! Vote 3 Vote N Valid! 27
CRYPTOGRAPHIC IMPLEMENTATION 28
Digital signature schemes ν Setup params Kg sk m vk s Signsk m Verifyvk Yes/no 29
Digital signature schemes • Syntax: • Keygen(ν): generates (sk, vk) secret signing key, verification key • Sign(sk, m): the signing algorithm produces a signature s on m • Verify(vk, m, s): the verification algorithm outputs accept/reject 30
Unforgeability under chosem message attack (UF-CMA) Good definition? Public Key vk mi si Forgery(m*, s*) UF-CMA security: PPT attackers negligible function f n 0 security parameters n ≥ n 0 Prob [win] ≤ f(n) win 31
Full Domain Hash • Syntax: • Keygen(ν): generate RSA modulus N=PQ, and d and e such that ed=1 mod (N). Set H be a good hash function that hashes in ZN*. Set vk=(H, N, e) and sk=(H, N, d). • Sign((H, N, d), m): output H(m)d mod N • Verify((N, e), m, s): accept iff se= H(m) mod • Security: UF-CMA secure in the random oracle model under the RSA assumption 32
Blind digital signature schemes ν Setup params Kg sk Ssk vk U s Verifyvk Yes/no Blind -Sign m 33
Blind digital signature schemes • Syntax: • Keygen(ν): generates (sk, vk) secret signing key, verification key • Blind-Sign: protocol between user U(m, vk) and signer S(sk); the user obtains a signature s on m • Verify(vk, m, s): the verification algorithm outputs accept/reject 34
Blind digital signature schemes • Security: • Blindness: a malicious signer obtains no information about the message being signed • Unforgeability: . . . 35
Chaum’s blind signature scheme • Key generation(): generate RSA modulus N=PQ, and d and e such that ed=1 mod (N). Set vk=(N, e) and sk=(N, d) • Blind-sign: User (m, (N, e)) gcd(r, N) = 1 Signer (d, N) 36
Chaum’s blind signature scheme • Key generation(): generate RSA modulus N=PQ, and d and e such that ed=1 mod (N). Set vk=(N, e) and sk=(N, d) • Blind-sign: User (m, (N, e)) gcd(r, N) = 1 Signer (d, N) 37
Commitment schemes • Temporarily hide a value, but ensure that it cannot be changed later • 1 st stage: Commit • Sender electronically “locks” a message in an envelope and sends the envelope to the Receiver • 2 nd stage: Decommit • Sender proves to the Receiver that a certain message is contained in the envelope slide 38
Commitment schemes ν Setup params m Commit params C, d Decommit Yes/no 39
Commitment schemes • Syntax: • Setup(): outputs scheme parameters • Commit(x; r): outputs (C, d): • C is a commitment to x • d is decommiting information • Decommit(C, x, d): outputs true/false • Functionality: If (C, d) was the output of Commit(x; r) then Decomit(C, x, d) is true slide 40
Security of Commitment Schemes • Hiding • The commitment does not reveal any information about the committed value • If receiver is probabilistic polynomial-time, then computationally hiding; if receiver has unlimited computational power, then perfectly hiding • Binding • There is at most one value that an adversarial commiter can successfully “decommit” to • Perfectly binding vs. computationally binding slide 41
Exercises • (easy): Can a commitment scheme be both perfectly hiding and binding? • (tricky): Let G be a cyclic group and g a generator for G. Consider the commitment scheme (Commit, Decommit) for elements in {1, 2, …, |G|}: • Commit(x) output C=gx and d=x • Decommit(C, d) is 1 if gx=C and 0 otherwise • Is it binding (perfectly, computationally? ) • Is it hiding (perfectly/computationally)? 42
Pedersen Commitment Scheme • Setup: Generate a cyclic group G of prime order, with generator g. Set • h=ga for random secret a in [|G|] • G, g, h are public parameters (a is kept secret) • Commit(x; r): to commit to some x [|G|], choose random r [|G|]. The commitment to x is C=gxhr (Notice that C=gx(ga)r=gx+ar) • Decommit(C, x, r): check C=gxhr slide 43
Security of Pedersen Commitments • Perfectly hiding • Given commitment c, every value x is equally likely to be the value commited in c • Given x, r and any x’, exists a unique r’ such that gxhr = gx’hr’ r’ = (x-x’)a-1 + r (but must know a to compute r’) • Computationally binding • If sender can find different x and x’ both of which open commitment c=gxhr, then he can solve discrete log • Suppose sender knows x, r, x’, r’ s. t. gxhr = gx’hr’ • Because h=ga mod |G|, this means x+ar = x’+ar’ mod |G| • Sender can compute a as (x’-x)(r-r’)-1 slide 44
Fujisaki Okamoto Ohta (FOO) • (medium) Specify the Fujisaki, Okamoto, Ohta protocol [you may assume two-move blind signing protocols, like Chaum’s] 45
Some difficulties with FOO • Requires anonymous channels (Tor? ) • Voters involved in all of the tallying phases • Only individual verifiability 46
ASYMMETRIC ENCRYPTION SCHEMES 47
Asymmetric encryption ν Setup params Kg pk m Encpk sk C Decsk m 48
Syntax • Setup(ν): fixes parameters for the scheme • KG(params): randomized algorithm that generates (PK, SK) • ENCPK(m): randomized algorithm that generates an encryption of m under PK • DECSK(C): deterministic algorithm that calculates the decryption of C under sk 49
Functional properties • 50
(exponent) El. Gamal 51
Functional properties • 52
IND-CPA security Public Key Good definition? PK M 0, MI C Theorem: If the DDH problem is hard in G then the El. Gamal encryption scheme is INDGuess d CPA secure. 53 win
SINGLE PASS VOTING SCHEME 54
Informal P 1: v 1 P 2: v 2 PK BB C 1 C 2 Pn: vn SK Cn 55
Syntax of SPS schemes • Setup(ν): generates (x, y, BB) secret information for tallying, public information parameters of the scheme, initial BB • Vote(y, v): the algorithm run by each voter to produce a ballot b • Ballot(BB, b): run by the bulleting board; outputs new BB and accept/reject • Tallying(BB, x): run by the tallying authorities to calculate the final result 56
An implementation: Enc 2 Vote • 57
Attack against privacy PK P 1: v 1 P 2: v 2 P 3 BB C 1 C 2 C 1 SK FIX: weed out equal ciphertexts C 1 • Assume that votes are either 0 or 1 • If the result is 0 or 1 then v 1 was 0, otherwise v 1 was 1 58
New attack P 1: v 1 P 2: v 2 P 3 PK BB C 1 C 2 C C SK FIX: Make sure ciphertexts cannot be mauled and weed out equal ciphertexts 59
Non-malleable encryption (NM -CPA) Good definition? Public Key PK M 0, M 1 C C 1, C 2 …, Cn M 1, M 2, …, Mn 60 Guess d win
(NM-CPA) – alternative definition Public Key PK Dist C Rel, C* NM-CPA security: PPT attackers negligible function f such that | Prob [Rel(M 0, M*)] - Prob [Rel(M 1, M*)] | ≤ f(n) 61
El. Gamal is not non-malleable 62
Ballot secrecy for SPS [BCPSW 11] BB 0 BB 1 C PK Sees BBb 0 C 1 h 0 , h 1 SK C result d C C C win 63
h 0 , h 1 PK Ci BB C Ci PK h 0, h 1 C 1, C 2, …, Ct SK v 1, v 2, …, vt result d d 65
Exercises • (easy) Define the hiding property for commitment schemes • (medium) Modify the ballot secrecy experiment to accommodate the FOO scheme • (difficult) Does FOO have vote secrecy? 66
More complex elections • N voters, k candidates and (say) approval voting • Allocate pk 1, pk 2, …, pkk one for each candidate • Voter i: decide on vij in {0, 1}. His ballot is: Encpk 1(vi 1) Encpk 2(vi 2) Encpk 2(vik) • Tallying is done for each individual key • Ballot size: k·|ciphertext| (Wasteful? ) 67
More complex elections • N voters, k candidates (N is the maximum number of votes for any candidate) • Encode the choices in a single vote: vi 1 vi 2 vi 3 vik log N bits • The choices of user j encoded as: ivij. Ni • K · c·|log N| (better? ) 68
Paillier encryption • Public key N=PQ=(2 p+1)(2 q+1) • Secret key d satisfying d=1 mod N, d=0 mod 4 pq • Encrypt vote v ZN using randomness R ZN* C = (1+N)v. RN mod N 2 • Decrypt by computing v = (Cd-1 mod N 2)/N
Correct decryption • • • Public key N=PQ=(2 p+1)(2 q+1) Secret key d satisfying d=1 mod N, d=0 mod 4 pq The multiplicative group ZN 2* has size 4 Npq We also have (1+N)N = 1 + N·N +. . . ≡ 1 mod N 2 Correctness Cd = ((1+N)v. RN)d = (1+N)vd RNd = (1+N)vd R 4 Npqk ≡ (1+N)v mod N 2 (1+N)v = 1+v. N+ N 2+. . . ≡ 1+v. N mod N 2 (Cd-1 mod N 2)/N = v
Homomorphicity • Public key N=PQ=(2 p+1)(2 q+1) • Encrypt vote v ZN using randomness R ZN* C = (1+N)v. RN mod N 2 • Homomorphic ≡ (1+N)v. RN · (1+N)w. SN (1+N)v+w(RS)N mod N 2
Attack against privacy PK P 1: v 1 P 2: v 2 P 3 BB C 1 C 2 C 3 SK 72
Attack against privacy PK P 1: v 1 P 2: v 2 P 3 BB C 1 C 2 C 3 73
Threshold encryption Setup params pk sk 1 C m Encpk( ) Kg Decsk 1( ) C C Decsk 2( ) Decsk. N( ) m 1 m 2 m. N Combine ν m 75
Threshold encryption • Syntax: • Key Generation(n, k): outputs pk, vk, (sk 1, sk 2, …, skn) • Encrypt(pk, m): outputs a ciphertext C • Decrypt(C, ski): outputs mi • Share. Verify(pk, vk, C, mi): outputs accept/reject • Combine(pk, vk, C, {mi 1, mi 2, …, mik}): outputs a plaintext m 76
(exponent) El. Gamal 77
n-out-of-n threshold El-Gamal • 78
Threshold decryption 79
Private but not robust …and I hid my secret key 80
Shamir k out of n threshold secret sharing: 81
k-out-of-n threshold El. Gamal • 82
Mixnets • Homomorphic tallying great, but not for complex functions • Instead of homomorphically computing Encpk(f(v 1, v 2, …, vn)) simply decrypt all votes 83
Rerandomizable encryption vote 0 = vote Encpk(m; r) Encpk(0; s)= Encpk(m; r+s) 84
Mixnet vote 1 vote (2) vote 2 vote (N) vote. N vote (1) 85
Mixnet vote 1 vote (2) vote (1) vote 2 vote (N) vote. N vote ( 1) vote (2) 86 = ;
Misbehaving parties - voters BB SK vote 1 vote 2 vote (N) vote. N vote ( 1) vote (2) 87
Misbehaving parties - mixers BB vote 1 vote 2 vote. N SK Vote* vote * Vote* 88
Misbehaving parties – tally authorities The people who cast the votes decide nothing. The people who count the vot es decide everything BB vote 1 vote 2 vote. N SK Vote* vote * Vote* 89
Misbehaving parties • Voters: non-well formated votes; problematic for homomorphic tallying • Mixservers: may completely replace the encrypted votes • Tallying authorities : may lie about the decryption results 90
ZERO KNOWLEDGE PROOFS 91
som Want eth s to ing con Va is t vin ria nt: Rel rue a ce th the (X, w bou e Ve pro ) fo t X rifi ver r so. Fo er t act me rma hat lly w ually w. M th 1 a kno t: ws suc h. Ma Interactive proofs [GMW 91] X Accept/ Reject w 2 Examples: • • M 3 Relg, h ((X, Y), z) iff X=gz and Y=hz r Relg, X ((R, C), r) iff R=gr and C=X Mn r Relg, X ((R, C), r) iff R=g and C/g=Xr Relg, X ((R, C), r) iff (R=gr and C=Xr ) or (R=gr and C/g=Xr) • Prover Rel. L(X, w) iff X L Verifier 92
Properties (informal) • Completeness: an honest prover always convinces an honest verifier of the validity of the statement • Soundness: a dishonest prover can cheat only with small probability • Zero knowledge: no other information is revealed • Proof of knowledge: can extract a witness from a successful prover 93
Where is Waldo? 94
Sudoku solution 95
Equality of discrete logs [CP 92] • 96
Completeness • 97
(Special) Soundness • 98
(HV) zero-knowledge X X, w R Rel(X, w) X R c c s s There exists a simulator SIM that produces transcripts that are indistinguishable from those of the real execution (with an honest verifier). 99
Special zero-knowledge X X, w R Rel(X, w) X R c c s s 100
Special zero-knowledge for CP • 101
OR-proofs [CDS 95, C 96] X X, w Y, w R 2 R 1 Rel 1(X, w) c 1 s 1 Y Rel 2(Y, w) c 2 s 2 Design a protocol for Rel 3(X, Y, w) where: Rel 3(X, Y, w) iff Rel 1(X, w) or Rel 2(Y, w) 102
OR-proofs X, Y, w R 1 R 2 c 1 c 2 s 1 s 2 c 103
OR-proofs X, Y, w Rel 1(X, w) R 1 R 2 c 1=c-c 2 s 1 s 2 c 104
OR-proofs X, Y, w Rel 1(X, w) R 1 R 2 c 1=c-c 2 c 1, s 1 c 2, s 2 c To verify: check that c 1+c 2=c and that (R 1, c 1, s 1) and (R 2, c 2, s 2) are accepting transcripts for the respective relations. 105
Exercise • (easy) Show that the OR protocol is a complete, zero-knowledge protocol with special soundness • (easy) Design a sigma protocol to show that an exponent El. Gamal ciphertext encrypts either 0 or 1. • (medium) Design a sigma protocol to show that an exponent El. Gamal ciphertext encrypts either 0, 1, or 2 106
Zero-knowledge for all of NP [GMW 91] Theorem: If secure commitment schemes exist, then there exists a zero-knowledge proof for any NP language 107
Non-interactive proofs X X, w Prover Verifier 108
The Fiat-Shamir/Blum transform X X, w R Rel(X, w) c X X, w R c=H(X, R) s s The proof is (R, s). To verify: check (R, c, s) as To verify: compute before. c=H(R, s). Check (R, c, s) as before 109
Strong Fiat Shamir security 112
Three applications of NIZKPo. Ks • Construction of NM-CPA schemes out of IND-CPA ones (dishonest voters) • Proofs of correct decryption for tallying based on threshold decryption (dishonest tallies) • Verifiable Mixnets/Shuffles (dishonest mixers) 113
El. Gamal + Po. K • 115
El. Gamal + Po. K • Theorem: El. Gamal+Po. K as defined is NM-CPA, in the random oracle model if DDH holds in the underlying group. 116 Theorem: Enc 2 Vote(El. Gamal+Po. K) has vote secrecy, in the random oracle model.
Random oracles [BR 93, CGH 98] • Unsound heuristic • There exists schemes that are secure in the random oracle model for which any instantiation is insecure • Efficiency vs security 117
Exercise: Correct distributed El. Gamal decryption (easy) Design a non interactive zero knowledge proof that Pi behaves correctly 118
Mixnet vote 1 vote (2) vote (1) vote 2 vote (N) vote. N vote ( 1) vote ( 2) 119 = ;
Verifiable shuffle [KS 95] C 1 C 2 Ci CN D (2) D (i) D (N) D ( 1) E 1 E 2 122 EN
Verifiable shuffle [KS 95] • 123
Exercise • (easy) The previous protocol is complete • (easy) The previous protocol has special soundness • what is the soundness error? • What do we do about it? • (easy) Prove zero-knowledgeness 124
Helios 125
Helios: vote preparation P: v C • C = ENCPK(v) is an encryption of the vote under a public key specific to the election • is a proof that C encrypts a valid vote 126
Helios: voting P 1: v 1 C 2 BB P 2: v 2 Pn: vn Cn 127
Helios: Tallying C 11 C 22 CNn BB vote (2) vote (N) vote (1) 128 C
Helios P 1: v 1 P 2: v 2 Pn: vn BB C 1 C 2 Cn C vote (2) vote (N) vote ( 1) 129
SUMMARY 130
Basic primitives and models 131
Techniques 132
Schemes 133
Ballot secrecy for SPS BB 0 BB 1 C PK Sees BBb 0 C 1 h 0 , h 1 SK C result d C C C win 134
Useful, desirable, difficult to get 135
(not) The end. 136
- Slides: 129