1

Receipt-freedom in voting

Pieter van Ede

2

Important properties of voting

Authority: only authorized persons can vote One vote Secrecy: nobody may know who voted for which

candidate Correctness Verifiability Coercion-free: unable to bride or threaten

people to vote for particular candidate Show up checks, useability

3

Receipt-freedom

Focus of this talk is coercion protection Imagine a threatened or bribed Alice We want to prevent Alice getting a proof of her

vote. Called receipt-freedom

4

Rise of electronic voting

Government wants cheaper voting

Also less dependence on honesty of small number of election officials

Electronic voting works efficient

5

Fall of electronic voting

No paper trail, so no recounting (Verifiability)

No public verifying of voting software

If verified, is THIS machine correct? (Correctness)

Is what is printed the same as recorded?

In the Netherlands, electronic voting is discontinued

6

Change of mind

Do not rely on correctness of machine Rely on cryptographic correctness

7

First idea: paper ballots

Idea: Choose candidate on machine Machine prints out ballot Voter verifies and puts in box

Advantages: User can simply check for correctness No dependance on programmers or machine-

integrity

8

First idea: paper ballots (2)

Drawbacks: Still counting of paper (could be done

automatically) Transportation of paper ballots Not much use for cryptography No coercion freedom: villain demands

photograph

9

Ongoing research

Many cryptographic protocols proposed: Mixing: scrambles large batches of votes Blind signatures: require safe publishing channel Homomorphic: sum results and decrypt with

secure computing

Many not receipt-free

10

Second idea

Give user receipt Use commitment protocol

Commitment protocol:

1.User has secret A.

2.User commits to A by computing y=C(A). There is no A' so C(A)=C(A') and y does not reveil a.

3.User opens y to provide it was a commitment to A.

11

Second idea (2)

Receipt-free universally verifiable voting protocol with everlasting privacy.

By Tal Moran and Moni Naor (Weizmann Institute of Science, Rehovot, Israel)

Based on other protocols, in particular Neff's voting Scheme

12

Properties of Moran-Naor

Everlasting privacy, but not in efficient version (Secrecy)

Universally verifiable: everybody interested can verify result (Verifiability)

Safe on voting machine running malicious code.

Receipt-freedom

13

Assumptions of Moran-Naor

One-way untappable channel Achieved by requireing a booth Voter must easily verify machine

14

Voter perspective

Dharma goes to vote Authorizes with election officials Enters the booth

15

Voter perspective

Finds a screen, keyboard and ATM-style printer

Votes for Betty

16

Voter perspective

Dharma is asked to type random words next to other candidates

17

Voter perspective

Printer prints out 2 lines, the commitment to Betty.

Dharma must verify that 2 lines were

printed. She does not see what

was printed, important for next phase.

18

Voters perspective

Dharma is asked to input random words next to Betty. This a challenge, later used in the verifiability, therefore she must not know the commitment statement.

19

Voters perspective

If all good, press OK. Otherwise, cancel

and printout is still worthless.

Prints out voter and candidates with

random words.

20

Voters perspective

Dharma chooses OK, machine prints CERTIFIED RECEIPT.

Now there is no way back.

Receipt also posted on bulletin board.

At home, check if receipt is correct on bulletin board.

21

Receipt-freedom of Moran-Naor

Coercer Trudy cannot see in what orde the challenges where given.

She might however reverse engineer the commitment.

Impossible because of commitment scheme

22

Pedersen commitment scheme

Moran-Naor use Pedersen commitments in the efficient scheme

Based on the hardness of discrete logarithm

23

Pedersen commitment scheme (2)

Computations in Zq

1.Machine commits to secret A.

2.Computes y=P(A,r) (r is random)

3.P(A,r) = hH(A)gr (h, g of order q; H collision free hash function)

4.Verifies that y is commitment of A, by sending (A,r). Only done in context of zero knowledge proof for verifiable counting, so this is safe.

Due to random r, commitment never shows secret A to Trudy.

24

Pedersen commitment scheme (3)

No A' and r' so P(A',r)=y, because that implies:

HA'gr' = hagr

hA' – A = gr – r'

r-r' / A'-A = Logg

h

But we assumed discrete logarithms were hard, so infeasible to do.

25

One step further: Cybervote

Project of European Commission Vote via mobile phone or internet All cryptography for nothing:

• Pressure from father

• Or friends at bar Could be fixed by allowing changing of votes, but

does that work after a night at the bar?

26

Conclusion

Advantages: Receipt-freedom Many other nice

properties of voting satisfied

Feasible

Disadvantages: Users must trust

mathematicians Coercion by bluffing

about commitment Still a lot more work

then paper voting Difficult for visually

disabled Difficult for older

people to use bulletin