Embed Size (px)
DESCRIPTION
Electronic Voting in the Standard Model Thomas Briner September 2003 Electronic voting schemes that claim to satisfy the property of receipt-freeness usually need strong physical assumptions which are not available in real life. In this paper we present a protocol that achieves receipt-freeness in a threshold model without unrealistic assumptions. It is designed for large scale votes. It uses an existing type of untappable channels for the initialization of a vote but only usual internet connections for the voting phase. The untappable channels are needed only in order to achieve receipt-freeness but are not mandatory for all other properties. The protocol achieves receipt-freeness by allowing each voter to convince a votebuyer who is willing to pay for a certain vote even though the voter casted an arbitrary vote. Even if the votebuyer is able to eavesdrop all channels between voters and authorities except for the untappable ones, it is indistinguishable for him whether or not the voter is telling the truth. In case of coercion, a voter who is forced to cast a certain vote is still able to make sure that the vote will be considered invalid and therefore ignored by the authorities without giving the coercer the opportunity to figure it out. All these properties hold under the assumption that no authority cooperates with a votebuyer or blackmailer. A dishonest authority is able to prevent a voter from casting a vote. This cannot be prevented but at least it will be detected that some irregularity has occurred. It is possible that the correctness of the result can be influenced by dishonest authorities, but in a context of a large scale vote, the level of overall correctness can still be judged by detecting the number of such irregularities and comparing it to the result. Universal verifiability is not achieved with this protocol. The protocol is based on a threshold on the number of honest authorities. This is no loss compared to the protocols that claim to have the property of universal verifiability in theory as they need additional elements e.g. a kind of bulletin board that do not exist in real life. To implement this bulletin board it has to be simulated by the authorities and therefore depends on the honesty of those authorities too.
Citation preview
Electronic Voting in the Standard Model
SemesterarbeitSS03
Thomas Briner Betreuung: Martin Hirt
Vote v
Voter Authority
Bulletin Board
SKA
Homomorphic Encryption
E(v1) ⊕ E(v
2) = E(v
1+ v
2)
Bulletin Board
SKA
Bulletin Board
SKA
Bulletin Board
SKA
randomness
Bulletin Board
1,...,T
N)
Bulletin Board
1,...,T
N)
e = E(v,α)
homomorphicencryption
vblinding
ē
SKA
ē ē
ē ē
homomorphicencryption
v
blinding
ē
0 1 0 0 0 0 0
Cand 1 Cand LCand 2 .....
e E(0) E(1) E(0) E(0) E(0) E(0) E(0)
E(0) E(0) E(0) E(0) E(0) E(1) E(0)
homomorphic encryptionv
blinding with correct key
ē
e
casted vote
encrypted and blinded voteas sent in ballot
homomorphic encryptionv
blinding with correct key
ē
e
v'
e'
casted vote
homomorphic encryption
blinding with fake key
claimed vote
encrypted and blinded voteas sent in ballot
ē
casted voteclaimed vote
ballot = (voter ID,vote ID,encrypted and permuted vote ,ēvalidity proof,tag,signature )
encrypted permuted vote ē
tag
T
key = ax + b
P
permutation π
encrypted permuted vote ē
tag
T'
key = ax + b
P
permutation π
permutation π'
P
tag
T
key = ax + b
encrypted permuted vote , permutation ē π
tag
T
encrypted permuted vote , permutation ē π '
tag
T
claimed keys
Possible States for each Voter
empty: No correctly signed ballot invalid: One or more correctly signed but
only invalid ones valid: Exactly one correctly signed and valid double: More than one correctly signed and
valid ones
List of Accusations
The Voter's View
� Receives letter with a permutation and a key
� Chooses his vote
� Encrypts his vote
� Permutes the encrypted vote
� Sends it to at least one honest authority
� Generates fake keys for each permutation he wants to claim
� “Proves” to the votebuyer that he has casted the desired vote
Properties of this Protocol
Privacy: Yes!Availability: Yes!Correctness: Not completely,
detection of irregularities but no prevention
Receipt-freeness:Yes!
E PK A
(v)
E PK A
(v)
Vielen Dank für die Aufmerksamkeit!
