Code Verification Elections

Scaling Privacy Guaranteesin Code Verification Elections

Anthi Orfanou

Columbia University

July 18, 2013

Joint work with Aggelos Kiayias (University of Athens)

Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 1 / 19

Internet voting / The untrusted platform problem

Voters: Cast votes

Personal Computers: Encode, encrypt and submit votes

Vote Collectors: Receive and store votes

Talliers: Process the votes and compute the result

The untrusted platform problem:

PC is vulnerablemalicious software attempts to modify the vote

Voter PCVote Collector Tallier

Internet


Previous work

Code Voting [SureVote: Chaum’01] [PGD: RT’09, HRT’10] ...

Vote secrecy & vote integrity against malicious PC

Code Verification Voting [HLV’10] [Gjøsteen’10,’11] [Lipmaa’11]

Simpler approachIntegrity against malicious PC (the PC sees the vote)Uses receipts to guarantee correct vote submission

generation, distribution, reconstruction phases

Requires secondary platform that receives the receipts (e.g. mobilephone)Requires 2 attacker free channels

Pre/Post-channel: receipt distribution, receipt feedbackPostal service/SMS


Security Guarantees

Previous work [HLV’10] [Gjøsteen’10,’11]

Messenger server (MS): reconstructed the security code to be sent tothe voter

Cast as intended: Detection if the PC is malicious. Violated: PC &MS coalitions

Vote Secrecy: Guaranteed against individuals only. Violated: VC &MS coalitions

Our results

Question: How to avoid the latter infrastructure server collusion attack?

Without additional PC-side secrets (key management) [Lipmaa’11]

Maintaining human verifiability


A New Vote-Verification Protocol

Use a set of identical voting servers:

No distinction between vote collectors & messenger

Share the receipt among the servers:

No share leaks informationThe receipt can be:

the vote itselfor a voter-dependent security code as beforeor a visual representation of the vote (image)

Voter verification: combine the shares to reconstruct the receipt



Assumption: an average human can do additions mod 10, 100, . . .

Consider m candidates in Zm and n ≥ 2 voting servers

Pedersen commitments, ElGamal cryptosystem over 〈g〉q ⊂ Zp, (q, p)primes, Range proof in exponents [LAN’03]

The receipt is the actual vote

Let u = minλ 10λ s.t. m ≤ 10λ < q, System parameters (g , q, p, u)

Broadcast channel from PC to the voting servers

Untappable (post)channel from servers to the voter


A New Vote-Verification Protocol - n Servers

Voter VVotes for x ∈ Zm

Server S1

Server Sn

SSS

Tallier

x




Picks x1, . . . , xn ∈ Zux = x1 + · · ·+ xn mod u

Ci =Com(xi )Et = Enctallier (x)

ZKP π

Server S1

Server Sn

SSS

Tallier

x






ZKP π

Server S1

Server Sn

C1, . . . ,CnEt , π

SSS

Tallier

x

Op

en(C

1)

Open(Cn)






ZKP π

Server S1Open C1, π : x ∈ Zm

x = x1 + · · ·+ xn mod u

Server SnOpen Cn, π : x ∈ Zm

x = x1 + · · ·+ xn mod u

C1, . . . ,CnEt , π

SSS

Tallier

x

Op

en(C

1)

Open(Cn)






ZKP π


x = x1 + · · ·+ xn mod u


x = x1 + · · ·+ xn mod u

C1, . . . ,CnEt , π

SSS

Tallier

x

Op

en(C

1)

Open(Cn)

xn

x1




x?= x1 + · · ·+ xn mod u



ZKP π


x = x1 + · · ·+ xn mod u


x = x1 + · · ·+ xn mod u

C1, . . . ,CnEt , π

SSS

Tallier

x

Op

en(C

1)

Open(Cn)

xn

x1




x?= x1 + · · ·+ xn mod u



ZKP π


x = x1 + · · ·+ xn mod u


x = x1 + · · ·+ xn mod u

C1, . . . ,CnEt , π

SSS

Tallier

x

Op

en(C

1)

Open(Cn)

xn

x1

Et



A 2-Server exampleVote 7 7 5 5

Server 1 2 9 2 9

Server 2 5 8 3 6

Sum mod 10 7 mod 10 17 mod 10 5 mod 10 15 mod 10


Security & Complexity

Cast as intended: A correct receipt guarantees a successfullysubmitted original vote

Threshold vote secrecy: with an (n, n)-secret sharing scheme nocoalition of less than n servers can extract information about the vote

Complexity (online exponentiations):

PC: 4(blog2(m − 1) + 1c+ 11n, 1 signingServer: 5(blog2(m− 1) + 1c+ 5n + 4, 1 signing, 1 signature verification


Adaptation to Code Verification protocol

Code generation:Pick bV ,1 . . . bV ,n ∈ Zu

bV =∑n

i=1 bV ,i mod uCodeV [x] = x + bV mod uVoter V

Votes for x ∈ Zm

x?= x1 + · · ·+ xn mod u



ZKP π


x = x1 + · · ·+ xn mod u


x = x1 + · · ·+ xn mod u

C1, . . . ,CnEt , π

SSS

Tallier

x

Op

en(C

1)

Open(Cn)

xn

x1

Et




bV =∑n


Votes for x ∈ ZmC = CodeV [x]

x?= x1 + · · ·+ xn mod u



ZKP π

Server S1bV ,1 ∈ Zu

Open C1, π : x ∈ Zmx = x1 + · · ·+ xn mod u

Server SnbV ,n ∈ Zu

Open Cn, π : x ∈ Zmx = x1 + · · ·+ xn mod u

C1, . . . ,CnEt , π

SSS

Tallier

x

Op

en(C

1)

Open(Cn)

xn

x1

Et




bV =∑n



x?= x1 + · · ·+ xn mod u



ZKP π


Open C1, π : x ∈ Zmx = x1 + · · ·+ xn mod ua1 = x1 + bV ,1 mod u


Open Cn, π : x ∈ Zmx = x1 + · · ·+ xn mod uan = xn + bV ,n mod u

C1, . . . ,CnEt , π

SSS

Tallier

x

Op

en(C

1)

Open(Cn)

an

a1

Et




bV =∑n



C?= a1 + · · ·+ an mod u



ZKP π


Open C1, π : x ∈ Zmx = x1 + · · ·+ xn mod ua1 = x1 + bV ,1 mod u


Open Cn, π : x ∈ Zmx = x1 + · · ·+ xn mod uan = xn + bV ,n mod u

C1, . . . ,CnEt , π

SSS

Tallier

x

Op

en(C

1)

Open(Cn)

an

a1

Et


Adaptation to Visual Vote verification protocol

Visual vote representation

Previous work: Visual Cryptography [NS’94]: secret sharing of an image

supervised (booth) voting [Chaum’04]

Our approach: Associate a message x ∈ Zm with a simple image, with a provablerelation

Visual sharing of shape descriptions (VSSD)

Consider two shapes that can be visually interpreted by a human:

A “full” circle

A “half” circle


Visual sharing of shape descriptions (VSSD)

What shape does the overlaying of two half circles create?

+ = full circle

+ = full circle

+ = half circle

+ = half circle


n-VSSD definition

In general n share-holders (servers)

M a set of m ≥ 2 messages (candidates)

Dx the set of visual descriptions for message x ∈ M, |Dx | ≥ 1

Λ the visual alphabet, commutative semigroup with operation ∨P : M → Λn randomized splitting function

Properties:

Solvability: ∀x ∈ M ∀〈v1, . . . , vn〉 ∈ P(x): ∨ni=1vi ∈ Dx

(t, n)-Resilience: Consider n-tuple w = (a ∪ {#})n s.t.

w has (at most) t < n known shares a ∈ Λn − t unknown shares # ∈ Λthen ∃ 0 < c < 1 s.t. Probv←P(x)[w ∈ v ] = c


Our approach: A 2-VSSD

Simple 2-VSSD: n=2 servers, m = 2 messages

2 messages: M∗ = {0, 1}

Λ∗ = { , }, ∨: visual overlaying (logical bitwise OR)

0↔: full circle

D∗0 = { }, P∗(0) = {〈 , 〉, 〈 , 〉}

1↔ half circle

D∗1 = { , }, P∗(1) = {〈 , 〉, 〈 , 〉}


Our approach: A 2-VSSD

Simple 2-VSSD: n=2 servers, m = 2 messages

2 messages: M∗ = {0, 1}

Λ∗ = { , }, ∨: visual overlaying (logical bitwise OR)

0↔: full circle

D∗0 = { }, P∗(0) = {〈 , 〉, 〈 , 〉}

1↔ half circle

D∗1 = { , }, P∗(1) = {〈 , 〉, 〈 , 〉}

General 2-VSSD: n=2 servers, m ≥ 2 messages

M = Zm, k = # of bits of m − 1

Λ = Λ∗k

P(x): Splits each bit bi of x in Λ∗

Dx : A description of x is a concatenation of its bits’ visual descriptions in D∗x


An example

Message Shape Dx P(x)

00 Two full circles ( , ) ( , )

( , ) ( , )

01 Full circle fol-lowed by halfcircle

( , ) ( , )

( , ) ( , )

10 Half circle fol-lowed by full cir-cle

( , ) ( , )

( , ) ( , )

11 Two half circles , ( , ) ( , )

, ( , ) ( , )

(1, 2)-Resilience: Prob[( ,#) ∈ P(0)] = Prob[( ,#) ∈ P(1)] =

Prob[( ,#) ∈ P(2)] = Prob[( ,#) ∈ P(3)] = 1/4


A Visual Vote-Verification Protocol - 2 VSSD

Voter VVotes for 1 ∈ Zm

D1 = “full followed by half”

Server S1

Server S2

Tallier

1





VSSD: 〈v1, v2〉 ← P(1)v = (v1 ∨ v2) ∈ D1

Commitments to v , v1, v2Et = Enctallier (1)

ZKP π′

Server S1

Server S2

Tallier

1





VSSD: 〈v1, v2〉 ← P(1)v = (v1 ∨ v2) ∈ D1


ZKP π′

Server S1

Server S2

CommitmentsEt , π′

Tallier

1

{Open

(Com

)}v 1

{Open(Co

m)}v2





VSSD: 〈v1, v2〉 ← P(1)v = (v1 ∨ v2) ∈ D1


ZKP π′

Server S1π′ : VSSD(v1) ↔ Et



Tallier

1

{Open

(Com

)}v 1

{Open(Co

m)}v2





VSSD: 〈v1, v2〉 ← P(1)v = (v1 ∨ v2) ∈ D1


ZKP π′




Tallier

1

{Open

(Com

)}v 1

{Open(Co

m)}v2





( , ) ∨ ( , )?∈ D1

VSSD: 〈v1, v2〉 ← P(1)v = (v1 ∨ v2) ∈ D1


ZKP π′




Tallier

1

{Open

(Com

)}v 1

{Open(Co

m)}v2





Yes: ( , ) ∈D1

VSSD: 〈v1, v2〉 ← P(1)v = (v1 ∨ v2) ∈ D1


ZKP π′




Tallier

1

{Open

(Com

)}v 1

{Open(Co

m)}v2





Yes: ( , ) ∈D1

VSSD: 〈v1, v2〉 ← P(1)v = (v1 ∨ v2) ∈ D1


ZKP π′




Tallier

1

{Open

(Com

)}v 1

{Open(Co

m)}v2

Et


Future work

General (t, n)-VSSD?

Perhaps using Colored Visual Secret Sharing [VT’97]?


The end


References

David Chaum. Surevote. International patent WO 01/55940 A1, 2001.

David Chaum. Secret-ballot receipts: True voter-verifiable elections. IEEE Security & Privacy, 2(1):38-47, 2004.

Kristian Gjøsteen. The norwegian internet voting protocol. In VOTE-ID, pages 1-18, 2011.

Kristian Gjøsteen. Analysis of an internet voting protocol. IACR Cryptology ePrint Archive, 2010:380, 2010.

James Heather, Peter Y. A. Ryan, and Vanessa Teague. Pretty good democracy for more expressive voting schemes. In

Proceedings of the 15th European conference on Research in computer security, ESORICS10, pages 405-423, Berlin,Heidelberg, 2010. Springer-Verlag.

Sven Heiberg, Helger Lipmaa, and Filip van Laenen. On e-vote integrity in the case of malicious voter computers. In

ESORICS, pages 373-388, 2010.

Helger Lipmaa. Two simple code-verification voting protocols. IACR Cryptology ePrint Archive, 2011:317, 2011.

Helger Lipmaa, N. Asokan, and Valtteri Niemi. Secure Vickrey auctions without threshold trust. In Proceedings of the

6th international conference on Financial cryptography, FC02, pages 87-101, Berlin, Heidelberg, 2003. Springer-Verlag.

Moni Naor and Adi Shamir. Visual cryptography. In EUROCRYPT, pages 1-12, 1994.

Peter Y. A. Ryan and Vanessa Teague. Pretty good democracy. In Security Protocols Workshop, pages 111-130, 2009.

Eric R. Verheul and Henk C. A. Van Tilborg. Constructions and properties of k out of n visual secret sharing schemes.

Des. Codes Cryptography, 11(2):179-196, May 1997.


Documents

Code Verification Elections