Electronic Voting Schemes and Other stuff

Requirements

• Only eligible voters can vote (once only)• No one can tell how voter voted• Publish who voted (?)• Voter cannot be coerced/bribed to voting some way• Voter cannot prove how she voted.• The final tally is the correct sum• Every voter can verify her vote, or assign other to verify• Everyone can verify total• No disruption• No partial results known

Chaum’s Onion Routing

BA C D E

Pub Pub Pub PubENC (ENC (ENC (ENC ( , ), ), ), )B C D E E D C Bm R R R R

Pub Pub PubENC (ENC (ENC ( , ), ), )C D E E D Cm R R R

Pub PubENC (ENC ( , ), )D E E Dm R R

BRER

Note: messages are same length

DRCR

Voting in Mix Nets

• Voters create ballots

• Every voter encrypts ballot

• t mix servers (one after the other)

• Decryption network: encryption peeled off and order randomized in server

• Reencryption networks: use El-Gamal

El Gamal Encryption

• g a generation of Zp*, p=2q+1• x is the secret key• y = gx is the public key, g is a generator• E(m) = (gr, myr) = (c1,c2), r random, is the

encryption• D(c1,c2) = c2 / c1

x = m• Reencryption: • ReEnc(c1,c2) = (c1gs, c2ys) , s random, is the

reencryption

Need to prove correct reencryption

• c1 = (gt, m1yt)• c2 = (gu, m2yu)• c1[1]/c2[1] = gt-u = gr = w (Define r = t-u, w)• c1[2]/c2[2] = yt-u = (m1/m2)yr = u• Prover/Verifier Protocol• (gs,ys) = (a,b) -> Verifier• Prover <- c • t = s+cr -> Verifier, check that gt = a wc and that yt = b uc

• Verfier needs to be honest here, why? What does verifier learn?

y=gx

Chaum Pederson

• For G, X, H, Y prove that – logG X = log H Y

• Honest Verifier Zero Knowledge Proof of Knowledge

• Example question for exam:– Define HVZK proof of knowledge– Prove that Chaum Pederson protocol is HVZK

proof of knowledge

Honest Verifier ZK (Sigma-Nets)

• x is common input to P, V, w is a witness for x, private to P

• P sends a message A

• V sends a random t-bit string e.

• P sends a reply z

• V decides to accept or reject based on the data he has seen, i.e. x, a, e, z.

Honest Verifier ZK

• For any (a, e, z), (a, e’, z’) where e <> e’, one can efficiently compute a witness w for x

• There exists a polynomial-time simulator M, which on input x and a random e outputs an accepting conversation of the form (a, e, z), with the same probability distribution as conversations between the honest P, V on input x.

• Proofs of Knowledge: resetable P allows simulator to compute witness w.

Homomorphic El Gamal

• c1 = (gt, m1yt)

• c2 = (gu, m2yu)

• c1c1 = (gt+u, m1m2yt+u)

• Encode 1 = no vote

• g = yes vote

Payments

• Untraceable electronic cash– Online– Offline

• Micropayment protocols

• “Real Protocols” – SET, EMC, – EMC is really used, old– SET seems to be dead in the water

Main idea (Chaum): blind signatures

• RSA: m 1/e mod n

• Blind RSA: – Two party protocol:

• Alice sends Bob (re m) mod n

• Bob computes (re m)1/e = r m1/e mod n

• Alice computes m1/e mod n

• Problems: – Alice can get Bob to sign anything, – Bod does not know what he is signing

Online Non-Anonymous Cash

Let’s follow the flow of a $1 bill:• Alice takes the string m = “account number” || “serial

number”, chooses a random r, and sends m re mod n to the bank

• The bank signs this message and sends m1/e r to Alice

• Alice extracts a signature on “account number” || “serial number” (m1/e) , and gives it to the merchant

• The merchant sends this to the bank, that verifies that the bill has not been used previously

Problems

• No anonymity• What is Alice having signed anyway? The

bank does not know.– Imagine that a signature on the string “f(s)”

means one dollar– Alice could prove to the bank that this is the

format of what she is asking for• Could be done via general multiparty computation• Could be done via cut and choose (the rabbit

problem)

Online Anonymous Cash

• Alice chooses a random s, r, sends re (f(s)) to the bank

• The bank debits Alice’s account by $1 and send r (f(s))1/e to Alice

• Alice extracts (f(s))1/e, and gives it and s to the merchant

• The merchant sends this to the bank, that verifies that the bill (s) has not been used previously

Advantages & Problems:

• The bank has given Alice a bill, but does not know what the bill looks like

• The bank cannot later identify Alice with the bill

• The bank must be online at all times to identify bills

• Multiparty computation is entirely inefficient

How to do cut and choose here

• Alice sends the bank many values z1, z2, …, zk

• The bank asks Alice to reveal ½ of the values zi = ri (f(si))• The bank extracts the root of the multiplication of all the

others• The bill is valid if it is of the root of a product of (f(si)) • Remark: in this case, it’s not clear that we need for Alice

to prove anything to the bank, any deviation from protocol for Alice can only harm her

How to do Offline Anonymous Cash?

• If Alice “double spends” – she will be caught and identified

• If Alice does not – her anonymity is guaranteed

• The merchant cannot reuse the money (other than send it to the bank)

Idea: encode Alice’s identity into the money

• Alice generates f(s1), f(s2), … f(sk), t1 || f(t1), f(t2), …, f(tk), such that si xor ti = “Alice”

• Alice sends blinded versions of all of these to the bank• The bank verifies the correctness and sends Alice the root

of the product of the indices not revealed• The merchant asks alice for the signature and for a random

subset of the indices• If Alice double spends, her identity becomes known to the

bank.

El-Gamal Signature Scheme

• Pick a prime p of length 1024 bits such that DL in Zp* is hard.

• Let g be a generator of Zp*.• Pick x in [2,p-2] at random.• Compute y=gx mod p. • Public key: p,g,y.• Private key: x.

Generation

El-Gamal Signature Scheme

• Hash: Let m=H(M). • Pick k in [1,p-2] relatively prime to p-1 at random.• Compute r=gk mod p. • Compute s=(m-rx)k-1 mod (p-1) (***)• Output r and s.

Signing M

El-Gamal Signature Scheme

• Compute m=H(M).• Accept if 0<r<p and yrrs=gm mod p. else reject.• What’s going on?By (***) s=(m-rx)k-1 mod p-1, so sk+rx=m.

Now r=gk so rs=gks, and y=gx so yr=grx, implying yrrs=gm .

Verify M,r,s,PK

The Digital Signature Algorithm (DSA)

• Let p be an L bit prime such that the discrete log problem mod p is intractable

• Let q be a 160 bit prime that divides p-1

• Let α be a q’th root of 1 modulo p.

How do we compute α?

The Digital Signature Algorithm (DSA)

• p – prime, q – prime, p-1 = 0 mod q, α = 1(1/q) mod p

• Private key: random 1 ≤ s ≤ q-1.

• Public key: (p, q, α, β = αs mod p)

• Signature on message M:– Choose a random 1 ≤ k ≤ p-1, secret!!

• Part II: (SHA (M) + s (PART I)) / k mod q

• Part I: ((αk mod p) mod q

The Digital Signature Algorithm (DSA)

– p – prime, q – prime, p-1 = 0 mod q, α = 1(1/q) mod p, Private key: random 1 ≤ s ≤ q-1. Public key: (p, q, α, β = αs mod p). Signature on message M:

• Choose a random 1 ≤ k ≤ p-1, secret!!– Part I: ((αk mod p) mod q

– Part II: (SHA (M) + s (PART I)) /k mod q

• Verification: – e1 = SHA (M) / (PART II) mod q

– e2 = (PART I) / (PART II) mod q

– OK if1 2( mod ) mod (PART I)e e p q

The Digital Signature Algorithm

1

22

( ) / ( ) ( mod )mod / mod

( mod )mod / ( ) ( mod )mod / mod

k

k k

SHA M SHA M s p q k qe

e p q SHA M s p q k qe s s

Testing Primitive Elements mod p

Let p be a prime number so that the primefactorization of p-1 is known: p-1 = q1

e1 q2e2 … qk

ek (q1, q2,…, qk primes).

Theorem: gZp is a primitive element in Zp iff

g(p-1)/q1 , g(p-1)/q2, … , g(p-1)/qk are all 1 mod pAlgorithm: Efficiently compute all k powers.Caveat: Requires factorization of p-1.

Proof

• If g is a primitive mod p then gi mod p ≠ 1 for all 1 ≤ i ≤ p-2

• If g is not a primitive element mod p, let d be the order of g. d divides p-1, let q be a prime divisor of (p-1)/d, then

• gd = 1 mod p, d divides (p-1)/q, and so g(p-1)/q =1 mod p.