Electronic Voting in the Standard Model

  • View

  • Download

Embed Size (px)


Electronic Voting in the Standard Model Thomas Briner September 2003 Electronic voting schemes that claim to satisfy the property of receipt-freeness usually need strong physical assumptions which are not available in real life. In this paper we present a protocol that achieves receipt-freeness in a threshold model without unrealistic assumptions. It is designed for large scale votes. It uses an existing type of untappable channels for the initialization of a vote but only usual internet connections for the voting phase. The untappable channels are needed only in order to achieve receipt-freeness but are not mandatory for all other properties. The protocol achieves receipt-freeness by allowing each voter to convince a votebuyer who is willing to pay for a certain vote even though the voter casted an arbitrary vote. Even if the votebuyer is able to eavesdrop all channels between voters and authorities except for the untappable ones, it is indistinguishable for him whether or not the voter is telling the truth. In case of coercion, a voter who is forced to cast a certain vote is still able to make sure that the vote will be considered invalid and therefore ignored by the authorities without giving the coercer the opportunity to figure it out. All these properties hold under the assumption that no authority cooperates with a votebuyer or blackmailer. A dishonest authority is able to prevent a voter from casting a vote. This cannot be prevented but at least it will be detected that some irregularity has occurred. It is possible that the correctness of the result can be influenced by dishonest authorities, but in a context of a large scale vote, the level of overall correctness can still be judged by detecting the number of such irregularities and comparing it to the result. Universal verifiability is not achieved with this protocol. The protocol is based on a threshold on the number of honest authorities. This is no loss compared to the protocols that claim to have the property of universal verifiability in theory as they need additional elements e.g. a kind of bulletin board that do not exist in real life. To implement this bulletin board it has to be simulated by the authorities and therefore depends on the honesty of those authorities too.

Text of Electronic Voting in the Standard Model

  • 1. Electronic Votingin the Standard ModelSemesterarbeitSS03Thomas Briner Betreuung: Martin HirtVote vVoter Authority
  • 2. Bulletin BoardSKA
  • 3. Homomorphic EncryptionE(v1) E(v2) = E(v1+ v2)
  • 4. Bulletin BoardSKA
  • 5. Bulletin BoardSKA
  • 6. Bulletin BoardSKArandomness
  • 7. Bulletin Board1,...,TN)
  • 8. Bulletin Board1,...,TN)
  • 9. e = E(v,)homomorphicencryptionvblinding
  • 10. SKA
  • 11.
  • 12.
  • 13. homomorphicencryptionvblinding0 1 0 0 0 0 0Cand 1 Cand LCand 2 .....e E(0) E(1) E(0) E(0) E(0) E(0) E(0)E(0) E(0) E(0) E(0) E(0) E(1) E(0)
  • 14. homomorphic encryptionvblinding with correct keyecasted voteencrypted and blinded voteas sent in ballot
  • 15. homomorphic encryptionvblinding with correct keyevecasted votehomomorphic encryptionblinding with fake keyclaimed voteencrypted and blinded voteas sent in ballot
  • 16. casted voteclaimed vote
  • 17. ballot = (voter ID,vote ID,encrypted and permuted vote ,validity proof,tag,signature )
  • 18. encrypted permuted vote tagTkey = ax + bPpermutation
  • 19. encrypted permuted vote tagTkey = ax + bPpermutation permutation PtagT
  • 20. key = ax + bencrypted permuted vote , permutation tagTencrypted permuted vote , permutation tagTclaimed keys
  • 21. Possible States for each Voterempty: No correctly signed ballotinvalid: One or more correctly signed butonly invalid onesvalid: Exactly one correctly signed and validdouble: More than one correctly signed andvalid ones
  • 22. List ofAccusations
  • 23. The Voters ViewReceives letter with a permutation and akeyChooses his voteEncrypts his votePermutes the encrypted voteSends it to at least one honest authorityGenerates fake keys for each permutationhe wants to claimProves to the votebuyer that he hascasted the desired vote
  • 24. Properties of this ProtocolPrivacy: Yes!Availability: Yes!Correctness: Not completely,detection of irregularitiesbut no preventionReceipt-freeness:Yes!
  • 25. EPKA(v)
  • 26. EPKA(v)
  • 27. Vielen Dank fr die Aufmerksamkeit!