Upload
erika-horton
View
220
Download
2
Tags:
Embed Size (px)
Citation preview
6. Esoteric Protocols
secure elections and multi-party computation
Kim Hyoung-Shick
Contents
1. Secure elections• Introduction
• Protocols
2. Secure multiparty computation• Introduction
• Examples
3. Conclusion
Contents
1. Secure elections• Introduction
• Protocols
2. Secure multiparty computation• Introduction
• Examples
Voting
What is the requirements ?
Voting
Secure Booth ?
Voting
Fair judge ?
Voting
We need two major requirements.
Privacy ! Fairness !
Traditional Voting Vs Electronic Voting
• Privacy
• Fairness
• Efficiency
Problems with Electronic Voting
• No physical audit trail
• Who provides the system?
• How are they audited?
• High Tech: More dependencies
• More ways to subvert the system
• etc.
Requirements for Electronic Voting
1. Only authorized voters can vote.
2. No one can vote more than once.
3. No one can duplicate anyone else’s vote.
4. No one can change anyone else’s vote without being discovered.
5. Every voter can make sure that his vote has been taken into account in the final tabulation.
6. No one can determine for whom anyone else voted.
7. Everyone knows who voted and who didn’t.
Requirements for Electronic Voting
1. Only authorized voters can vote.
2. No one can vote more than once.
3. No one can duplicate anyone else’s vote.
4. No one can change anyone else’s vote without being discovered.
5. Every voter can make sure that his vote has been taken into account in the final tabulation.
6. No one can determine for whom anyone else voted.
7. Everyone knows who voted and who didn’t.
Requirements for Electronic Voting
1. Only authorized voters can vote.
2. No one can vote more than once.
3. No one can duplicate anyone else’s vote.
4. No one can change anyone else’s vote without being discovered.
5. Every voter can make sure that his vote has been taken into account in the final tabulation.
6. No one can determine for whom anyone else voted.
7. Everyone knows who voted and who didn’t.
Contents
1. Secure elections• Introduction
• Protocols
2. Secure multiparty computation• Introduction
• Examples
Protocols
1. Simplistic voting protocols #1
2. Simplistic voting protocols #2
3. Voting with blind signatures
4. Voting with two central facilities
5. Voting with ANDOS
6. Improved voting with ANDOS
7. Voting without a central facility
Idea of Simplistic Voting Protocol #1
secure booth
= encryption
Simplistic Voting Protocol #1
Voter ViCentral Tabulating Facility
3. ECTF(V)
1. Choose V
PCTF
SCTF
4. Tabulate V’s
5. Publish the result2. Encrypt V into ECTF(V).
Unsatisfied Requirements
1. Only authorized voters can vote.
2. No one can vote more than once.
3. No one can duplicate anyone else’s vote.
4. No one can change anyone else’s vote without being discovered. (By intercept attack)
5. Every voter can make sure that his vote has been taken into account in the final tabulation.
6. No one can determine for whom anyone else voted.
7. Everyone knows who voted and who didn’t.
Protocols
1. Simplistic voting protocols #1
2. Simplistic voting protocols #2
3. Voting with blind signatures
4. Voting with two central facilities
5. Voting with ANDOS
6. Improved voting with ANDOS
7. Voting without a central facility
Idea of Simplistic Voting Protocol #2
secure booth
= encryptionidentification card
= sign
Simplistic Voting Protocol #2
Voter ViCentral Tabulating Facility
4. ECTF(Si(V))
1. Choose V
PCTF Pi
SCTF
5. Decrypt, verify, tabulate V’s
Si
2. Sign V into Si(V)
3. Encrypt Si(V) into ECTF(Si(V))
6. Publish the result
Unsatisfied Requirements
1. Only authorized voters can vote.
2. No one can vote more than once.
3. No one can duplicate anyone else’s vote.
4. No one can change anyone else’s vote without being discovered.
5. Every voter can make sure that his vote has been taken into account in the final tabulation.
6. No one can determine for whom anyone else voted. (CTF knows it.)
7. Everyone knows who voted and who didn’t.
Protocols
1. Simplistic voting protocols #1
2. Simplistic voting protocols #2
3. Voting with blind signatures
4. Voting with two central facilities
5. Voting with ANDOS
6. Improved voting with ANDOS
7. Voting without a central facility
Problem with Signature
Kim
노
Idea of Voting with Blind Signature
accept
노
Idea of Voting with Blind Signature
Be covered !
Voting with Blind Signature
Voter ViCentral Tabulating Facility
3. B(M)
1. Generate M = (O1, … , On, IDr , i)
PCTF Pi
SCTF
4. Check if B(M) is valid
Si
2. Blind M into B(M)
6. Choose SCTF(Oi)
5. SCTF(B(M))
7. Generate M’ = (SCTF(Oi), SCTF(IDr), SCTF(i))
Voting with Blind Signature
Voter ViCentral Tabulating Facility
8. M’
PCTF Pi
SCTF
9. Verify, check ID duplication
Si
10. Publish the result
B(M)
Unsatisfied Requirements
1. Only authorized voters can vote.
2. No one can vote more than once.
3. No one can duplicate anyone else’s vote.
4. No one can change anyone else’s vote without being discovered.
5. Every voter can make sure that his vote has been taken into account in the final tabulation.
6. No one can determine for whom anyone else voted. (CTF knows it.) – it need to provide anonymous channel.
7. Everyone knows who voted and who didn’t.
Additional Some Problems
1. CTF can generate a large number of signed, valid votes and cheat by submitting those itself.
2. If voter discovers that the CTF changed his or her vote, he or she has no way to prove it.
Protocols
1. Simplistic voting protocols #1
2. Simplistic voting protocols #2
3. Voting with blind signatures
4. Voting with two central facilities
5. Voting with ANDOS
6. Improved voting with ANDOS
7. Voting without a central facility
Review of Traditional Voting
1. Check voter’s identification by checker.
checker voter
Review of Traditional Voting
2. Count votes in the ballot boxes by counter.
counter
Review of Traditional Voting
There are two positions in the voting.
counterchecker
Idea of Voting with Two Central Facilities
Central Tabulating FacilityCentral Legitimization Agency
Voting with Two Central Facilities
Voter ViCentral Legitimization Agency
1. Ask for VN
PCLA Pi
SCLA
2. Maintain VN list for voters
Si
3. VNr
VN list
Voting with Two Central Facilities
Central Legitimization Agency
4. VN list
PCLA PCTF
SCLA
Central Tabulating Facility
SCTF
VN list
Voter ViCentral Tabulating Facility
8. M
PCTF Pi
SCTF
9. Check if M is valid and maintain VN list
Si
10. Publish the result
Voting with Two Central Facilities
5. Choose IDr
6. Generate M = (V, IDr, VNr)
6. Choose SCTF(Oi)
7. Generate M’ = (SCTF(Oi), SCTF(IDr), SCTF(i))
VNr VN list
Unsatisfied Requirements
1. Only authorized voters can vote.
2. No one can vote more than once.
3. No one can duplicate anyone else’s vote.
4. No one can change anyone else’s vote without being discovered.
5. Every voter can make sure that his vote has been taken into account in the final tabulation.
6. No one can determine for whom anyone else voted. (But, the collusion is possible.)
7. Everyone knows who voted and who didn’t.
Additional Some Problems
1. CLA can generate a large number of signed, valid votes and cheat by submitting those itself. – It solve that CLA publish a list of certified voters.
2. As stated above, the collusion is possible.
Protocols
1. Simplistic voting protocols #1
2. Simplistic voting protocols #2
3. Voting with blind signatures
4. Voting with two central facilities
5. Voting with ANDOS
6. Improved voting with ANDOS
7. Voting without a central facility
What is ANDOS (All-Or-Nothing Disclosure of Secrets)
Sender Receiver
- Sender doesn’t know that receiver has gained the one.
- As soon as receiver has gained anyone, he can’t receive other messages.
Voting with ANDOS
Voter ViCentral Tabulating Facility
1. Ask for VN
PCLA Pi
SCLA
2. Maintain VN list for voters
Si
3. VNr by ANDOS
VN list
Unsatisfied Requirements
1. Only authorized voters can vote. – we solve it by blinded signagture
2. No one can vote more than once.
3. No one can duplicate anyone else’s vote.
4. No one can change anyone else’s vote without being discovered.
5. Every voter can make sure that his vote has been taken into account in the final tabulation.
6. No one can determine for whom anyone else voted.
7. Everyone knows who voted and who didn’t.
Protocols
1. Simplistic voting protocols #1
2. Simplistic voting protocols #2
3. Voting with blind signatures
4. Voting with two central facilities
5. Voting with ANDOS
6. Improved voting with ANDOS
7. Voting without a central facility
Idea of Improved Voting with ANDOS
Voter is also checker for CTF
Voting with Blind Signature
Voter ViCentral Tabulating Facility
1. Join within T
PCTF Pi
SCTF
2. Publish a list of participants
Si
3. IDr by using ANDOS
Voting with Blind Signature
Voter ViCentral Tabulating Facility
5. IDr, Ei(IDr, V)
PCTF Pi
SCTF
6. Publish Ei(IDr, V)
Si
IDr
7. IDr Si
8. Decrypt, publish the result.(For each candidate, the list of all Ei(IDr, V) that voted for a
candidate)
Voting with Blind Signature
Voter ViCentral Tabulating Facility
9. IDr, Ei(IDr, V), Si
PCTF Pi
SCTFSi
IDr or
9. IDr, Ei(IDr, V’), Si
Within time T, voter can change the vote.
The Reason of the possibility for protest
Central Tabulating Facility
6. Publish Ei(IDr, V)
CTF should be examined for performing his duty by voter Vi
Unsatisfied Requirements
1. Only authorized voters can vote. – we solve it by blinded signagture
2. No one can vote more than once.
3. No one can duplicate anyone else’s vote.
4. No one can change anyone else’s vote without being discovered.
5. Every voter can make sure that his vote has been taken into account in the final tabulation.
6. No one can determine for whom anyone else voted.
7. Everyone knows who voted and who didn’t.
Additional Satisfied Requirements
8. A voter can change his mind within a given period of time.
9. If a voter find out that his vote is miscounted, he can identify and correct the problem without jeopardzing the secrecy of his ballot.
Protocols
1. Simplistic voting protocols #1
2. Simplistic voting protocols #2
3. Voting with blind signatures
4. Voting with two central facilities
5. Voting with ANDOS
6. Improved voting with ANDOS
7. Voting without a central facility
Idea of Voting without a Central Facility
The problem of source is CTF.
Central Tabulating Facility
Idea of Voting without a Central Facility
Everyone is checker.
Voting without a Central Facility
Voter V1 Voter V2 Voter V3 Voter Vn
1. Generate each public/private key pair.
2. Publish order of voters and each public key.
Voting without a Central Facility
Voter Vi
1. Generate IDr
2. Generate E1(…En(V, IDr)…)
3. Generate En(E1(…En(V, IDr)…), Rn)
4. Generate M = E1(…En(E1(…En(V, IDr)…)…), R1)
and record Rn … R1 and the intermediate results.
IDr
Pi
Si
Voter Vi
5. M
P1 Pi
Si
6. Decrypt, removes all of the random strings at that level.
Voting without a Central Facility
Voter V1
S1
Voter V1
7. M2
P1 P2
S1
8. Decrypt, check to see that his vote is among the set of votes, removes all of the random strings at that level.
Voting without a Central Facility
Voter V2
S2
(M2 is the decrypted
message)
Voter Vn
9. M’
Pn P1
Sn
10. Decrypt, check to see that his vote is among the set of votes, removes all of the random strings at that level.
Voting without a Central Facility
Voter V1
S1
( M’ = E1(…En(V, IDr)…) )
11. Sign all the votes.
12. Broadcast all signed votes to everyone.
Voting without a Central Facility
Voter V1
Voting without a Central Facility
Voter Vn
13. Publish the result.
Unsatisfied Requirements
1. Only authorized voters can vote.
2. No one can vote more than once.
3. No one can duplicate anyone else’s vote.
4. No one can change anyone else’s vote without being discovered.
5. Every voter can make sure that his vote has been taken into account in the final tabulation.
6. No one can determine for whom anyone else voted.
7. Everyone knows who voted and who didn’t.
Additional Some Problems
1. An enormous amount of computation
2. Vn learns the results of the election before anyone else d
oes.
3. Message duplication. (Ex: There are three people.)
Contents
1. Secure elections• Introduction
• Protocols
2. Secure multiparty computation• Introduction
• Examples
Introduction
A protocol in which a group can compute any function securely.
f(x1, x2, …, Xm)
Xj ,…, Xk
Pi
Introduction
f(x1, x2, …, Xm) is public !
But, no one learns anything about the
inputs of any other members other tha
n what is obvious from the output of th
e function.
Contents
1. Secure elections• Introduction
• Protocols
2. Secure multiparty computation• Introduction
• Examples
Compute Average Value
n
s)s , ,,(
n
1 ii
n21
ssf
P1
1. Generate M = S1 + r
P2
2. E2(M)
3. Decrypt, M’ = S2 + M
Compute Average Value
Pn
4. Generate M* = Sn + M’’
P1
5. E1(M*)
6. Decrypt.
n
rM * 7. Compute
8. Publish it
Problems
1. Participants can lie Si
2. V1 can misrepresent the result to everyone. – It is solved
by bit commit for r, but V2 knows S1.
Check the equality
),( baf
P1
1. Compute h(a)
P2
2. h(a)
3. Compute h(b)4. Check if h(a) = h(b)
0, if a = b
1, otherwise
a b
Problems
1. B has a chosen plaintext attack if size of domain is small.
Additional Examples
• Electronic elections
• Bidding protocols
• Lotteries
• Distributed games over the
internet