ballot privacy in elections new metrics and constructions
play

Ballot privacy in elections: new metrics and constructions. Olivier - PowerPoint PPT Presentation

Aug 17, 2023 •108 likes •415 views

Ballot privacy in elections: new metrics and constructions. Olivier Pereira Universit e catholique de Louvain Based on joint works with: D. Bernhard, V. Cortier, E. Cuvelier, T. Peters and B. Warinschi March 2015 UCL Crypto Group Vote

  1. Ballot privacy in elections: new metrics and constructions. Olivier Pereira – Universit´ e catholique de Louvain Based on joint works with: D. Bernhard, V. Cortier, E. Cuvelier, T. Peters and B. Warinschi March 2015 UCL Crypto Group Vote Privacy - Mar. 2015 1 Microelectronics Laboratory

  2. Open Voting UCL Crypto Group Vote Privacy - Mar. 2015 2 Microelectronics Laboratory

  3. Open Voting UCL Crypto Group Vote Privacy - Mar. 2015 3 Microelectronics Laboratory

  4. Open Voting Alice: Bob: Walter Valerie Charles: Walter Dana: Walter ◮ Every voter can verify that nobody tampered with her/his vote ◮ Every voter can compute the tally ◮ No privacy, no coercion-resistance, no fairness, . . . UCL Crypto Group Vote Privacy - Mar. 2015 4 Microelectronics Laboratory

  5. Secret Ballot ◮ Liberal motivation: “My vote is my own business, elections are a tool for aggregating private opinions” ◮ Practical motivation: Prevent coercion and bribery UCL Crypto Group Vote Privacy - Mar. 2015 5 Microelectronics Laboratory

  6. A traditional paper approach Walter Valerie Walter Walter ◮ With voting booth: privacy, coercion-resistance, fairness, . . . ◮ If a voter keeps an eye on the urn and tally all day long, he can be convinced that: ◮ his vote is untampered ◮ the tally is based on valid votes and correct ◮ A minute of inattention is enough to break this UCL Crypto Group Vote Privacy - Mar. 2015 6 Microelectronics Laboratory

  7. Privacy vs Verifiability – Two Extremes Hand raising vote Uncontrolled ballot box Verifiability 100% Verifiablility 0% Privacy 0% Privacy 100% UCL Crypto Group Vote Privacy - Mar. 2015 7 Microelectronics Laboratory

  8. Privacy and Verifiability ? UCL Crypto Group Vote Privacy - Mar. 2015 8 Microelectronics Laboratory

  9. Defining Vote Privacy Not an absolute notion: ◮ Usually accepted that there is no privacy when all voters support the same candidate Elections as Secure Function Evaluation [Yao82]: ◮ “The voting system should not leak more than the outcome” ◮ But we would like to know how much the outcome leaks! Game-style definition [KTV11]: ◮ Privacy measured as max probability to distinguish whether I voted in one way or another ◮ Often too strong: that probability is ≈ 1 when: #different ballots ≫ #voters UCL Crypto Group Vote Privacy - Mar. 2015 9 Microelectronics Laboratory

  10. Defining Vote Privacy What do we want to measure? 1. With what probability can A guess my vote? Sounds like min-entropy! 2. In how many ways can I pretend that I voted? Sounds like Hartley entropy! UCL Crypto Group Vote Privacy - Mar. 2015 10 Microelectronics Laboratory

  11. Notations Let: ◮ D be the distribution of honest votes (if known) ◮ T : sup( D ) �→ { 0 , 1 } ∗ be a target function ◮ T ( v 1 , . . . , v n ) := v i ? ◮ T ( v 1 , . . . , v n ) := ( v i = v j ) ◮ ρ ( v 1 , . . . , v n ) be the official outcome of the election ◮ view A ( D , π ) be the view of A participating to voting protocol π in which honest voters vote according to D UCL Crypto Group Vote Privacy - Mar. 2015 11 Microelectronics Laboratory

  12. Measure(s) for privacy M x ( T , D , π ) := inf A F x ( T ( D ) | view A ( D , π ) , ρ ( D , v A )) where: ◮ F x ( A | B ) is some x -R´ eniy entropy measure on A given B UCL Crypto Group Vote Privacy - Mar. 2015 12 Microelectronics Laboratory

  13. Choices for F x ( A | B ) M x ( T , D , π ) := inf A F x ( T ( D ) | view A ( D , π ) , ρ ( D , v A )) Choices for F x ( A | B ): � 2 − H ∞ ( A | B = b ) �� ˜ � H ∞ Average min-entropy: − log E [DORS08] b ∈ B Measures the probability that A guesses the target H ⊥ ∞ Min-min-entropy: min b ∈ B H ∞ ( A | B = b ) Same as before, but for the worst possible b H ⊥ 0 Min-Hartley-entropy: min b ∈ B H 0 ( A | B = b ) Measures the number of values that the target can take for the worst b – No probabilities involved! UCL Crypto Group Vote Privacy - Mar. 2015 13 Microelectronics Laboratory

  14. An example.. . Consider: ◮ An approval (yes/no) election with 1 question ◮ 3 voters voting uniformly at random ◮ target is the first voter ˜ H ⊥ H ⊥ H ∞ ∞ 0 ρ 1 := ⊥ 1 1 1 ρ 2 := | � v | yes > | � v | no . 4 . 4 1 ρ 3 := ( | � v | yes , | � v | no ) . 4 0 0 ρ 4 := � 0 0 0 v ( . 4 ≈ − log 3 4 ) UCL Crypto Group Vote Privacy - Mar. 2015 14 Microelectronics Laboratory

  15. Scantegrity Audit Data ◮ Official outcome: number of votes received by each candidate ◮ Scantegrity audit trail exposes all ballots (codes removed) ◮ Scantegrity take-home receipt shows how many bullets you filled UCL Crypto Group Vote Privacy - Mar. 2015 15 Microelectronics Laboratory

  16. Scantegrity Audit Data From the 2009 Takoma Park municipal election data : Ward 1 5 6 #Ballots 470 85 198 Question A B A B A B H ⊥ 0 from official outcome 6 3.17 6 3.17 6 6 H ⊥ 0 with receipts 1.58 1.58 0 1 2 1.58 ◮ 6/3.17 bits is a question with 3/2 candidates to rank (including incorrect rankings) ◮ In most cases, rankings of a certain length are uncommon ◮ In Ward 5, a voter looses his/her privacy completely on Question A if he/she shows his/her receipt! UCL Crypto Group Vote Privacy - Mar. 2015 16 Microelectronics Laboratory

  17. Single-Pass Cryptographic Voting A common approach ([CGS97], [DJ01], Helios, . . . ): pk Enc pk ( v i ) V i T sk Tally 1. Trustees create an election public key pk 2. Voters publish an encryption of their vote v i 3. Trustees compute and publish the tally, using the secret key sk 4. Everyone can verify that the tally is consistent with the encrypted votes UCL Crypto Group Vote Privacy - Mar. 2015 17 Microelectronics Laboratory

  18. Cryptographic Voting Problem with entropic measures of privacy: H( v i | Enc pk ( v i ) , pk ) = 0 Solution: use a computational analog of entropy : x ( A | B ) ≥ r ⇔ ∃ B ′ ≈ c B and F x ( A | B ′ ) ≥ r ◮ F c In particular, H c ( v i | Enc pk ( v i ) , pk ) ≥ r if H( v i | Enc pk (0) , pk ) ≥ r UCL Crypto Group Vote Privacy - Mar. 2015 18 Microelectronics Laboratory

  19. Computational Measure(s) for privacy M c A F c x ( T , D , π ) := inf x ( T ( D ) | view A ( D , π ) , ρ ( D , v A )) where: ◮ F c x ( A | B ) is a x -R´ eniy computational entropy metric on A given B Definition (informal): A voting scheme π with tallying function ρ offers ballot privacy if, for all T , D : M c A F c x ( T , D , π ) = inf x ( T ( D ) | ρ ( D , v A )) UCL Crypto Group Vote Privacy - Mar. 2015 19 Microelectronics Laboratory

  20. Privacy and Verifiability Do we need to move to computational entropies? ? ◮ Publish encrypted votes, but what if encryption gets broken? ◮ because time passes and computing speed increases ◮ because decryption keys are lost/stolen ◮ because there is an algorithmic breakthrough UCL Crypto Group Vote Privacy - Mar. 2015 20 Microelectronics Laboratory

  21. Voting with a Perfectly Private Audit Trail Can we offer verifiability without impacting privacy? More precisely: Can we take a non-verifiable voting scheme and add verifiability without impacting privacy? Goal: ◮ Have a new kind of audit data ◮ Audit data must perfectly hide the votes ◮ Usability must be preserved: 1. Practical distributed key generation 2. No substantial increase of the cost of ballot preparation 3. Be compatible with efficient proof systems UCL Crypto Group Vote Privacy - Mar. 2015 21 Microelectronics Laboratory

  22. Commitments Can Enable Perfect Privacy commitment d opening a m ◮ A commitment is perfectly hiding if d is independent of m ◮ A commitment is computationally binding if it is infeasible to produce d , ( m , a ) , ( m ′ , a ′ ) such that d can be opened on both ( m , a ) and ( m ′ , a ′ ) ( m � = m ′ ) Example: ◮ Let g 0 , g 1 be random generators of a cyclic group G ◮ Set d = g a 0 g m 1 as a commitment on m with random opening a ◮ Finding a different ( m , a ) pair consistent with d is as hard as computing the discrete log of g 1 in base g 0 UCL Crypto Group Vote Privacy - Mar. 2015 22 Microelectronics Laboratory

  23. A New Primitive : Commitment Consistent Encryption Commitment Consistent Encryption (CCE) scheme Π = ( Gen , Enc , Dec , DerivCom , Open , Verify ) ( Gen , Enc , Dec ) is a classic encryption scheme c = Enc pk ( m ) DerivCom pk ( c ) from the ciphertext, derives a commitment d Open sk ( c ) outputs an opening value a from c using sk Verify pk ( d , a , m ) checks that d is a commitment on m w.r.t. a UCL Crypto Group Vote Privacy - Mar. 2015 23 Microelectronics Laboratory

  24. Single-Pass Cryptographic Voting Voting with a CCE scheme: pk c = Enc pk ( v i ) V i T sk Tally Board Audit Derivcom pk ( c ) 1. Trustees create an election public key pk 2. Voters submit an encryption of their vote v i to Trustees 3. Trustees publish commitments extracted from encrypted votes 4. Trustees publish the tally, as well a proofs of correctness UCL Crypto Group Vote Privacy - Mar. 2015 24 Microelectronics Laboratory

Recommend

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in vehicular networks; Security and Cooperation in Wireless Networks Georg-August University Gttingen Chapter outline 1 Important privacy related

1.12k views • 33 slides
Privacy in Wireless Networks privacy notions and metrics; privacy in RFID systems; location

Privacy in Wireless Networks privacy notions and metrics; privacy in RFID systems; location

Mobile Networks - Module H2 Privacy in Wireless Networks privacy notions and metrics; privacy in RFID systems; location privacy in vehicular networks; privacy preserving routing in ad hoc networks; Slides adapted from Security and

909 views • 55 slides
Masked Ballot Voting for Receipt-Free Online Elections Roland Wen and Richard Buckland School of

Masked Ballot Voting for Receipt-Free Online Elections Roland Wen and Richard Buckland School of

Masked Ballot Voting for Receipt-Free Online Elections Roland Wen and Richard Buckland School of Computer Science and Engineering The University of New South Wales Sydney, Australia {rolandw,richardb}@cse.unsw.edu.au VOTE-ID 2009 1 / 35

509 views • 35 slides
Adapting Helios for Provable Ballot Privacy David Bernhard, Veronique Cortier, Olivier Pereira,

Adapting Helios for Provable Ballot Privacy David Bernhard, Veronique Cortier, Olivier Pereira,

Adapting Helios for Provable Ballot Privacy David Bernhard, Veronique Cortier, Olivier Pereira, Ben Smyth, Bogdan Warinschi September 2, 2011 ESORICS 2011 Adapting Helios for Provable Ballot Privacy 1 / 26 Helios Helios is a web-based voting

629 views • 40 slides
Ballot Design City of Long Beach, California August 11, 2011 U.S. Elections Assistance

Ballot Design City of Long Beach, California August 11, 2011 U.S. Elections Assistance

Ballot Design City of Long Beach, California August 11, 2011 U.S. Elections Assistance Commission Washington, D.C. City of Long Beach A Charter City founded in 1897 Population: 462,257 39 th largest city in the nation, 7 th largest

631 views • 18 slides
CS573 Data Privacy and Security Secure Multiparty Computation General Constructions Li Xiong

CS573 Data Privacy and Security Secure Multiparty Computation General Constructions Li Xiong

CS573 Data Privacy and Security Secure Multiparty Computation General Constructions Li Xiong Last Lecture Symmetric & Public key encryption Secure Multiparty Computations Problem and security definitions General constructions

492 views • 48 slides
CS573 Data Privacy and Security Secure Multiparty Computation General Constructions Li Xiong

CS573 Data Privacy and Security Secure Multiparty Computation General Constructions Li Xiong

CS573 Data Privacy and Security Secure Multiparty Computation General Constructions Li Xiong Last Lecture Symmetric & Public key encryption Secure Multiparty Computations Problem and security definitions General constructions

846 views • 55 slides
Election Verifiability or Ballot Privacy Do We Need to Choose? Edouard Cuvelier Thomas Peters

Election Verifiability or Ballot Privacy Do We Need to Choose? Edouard Cuvelier Thomas Peters

Election Verifiability or Ballot Privacy Do We Need to Choose? Edouard Cuvelier Thomas Peters Olivier Pereira Universit e catholique de Louvain ICTEAM Crypto Group SecVote 2012 UCL Crypto Group PPAT - Jul. 2012 1

451 views • 16 slides
Elastic distinguishability metrics for Location Privacy Marco Stronati marco@stronati.org joint

Elastic distinguishability metrics for Location Privacy Marco Stronati marco@stronati.org joint

Elastic distinguishability metrics for Location Privacy Marco Stronati marco@stronati.org joint work with K. Chatzikokolakis and C. Palamidessi 1 / 14 Privacy for LBS Goal: limit semantic inference (not anonymity) Reasonable utility for

701 views • 30 slides
Metrics for Differential Privacy in Concurrent Systems Lili Xu 1 , 3 , 4 , Konstantinos

Metrics for Differential Privacy in Concurrent Systems Lili Xu 1 , 3 , 4 , Konstantinos

Introduction Two Pseudometrics Non-expansive Process Operators An application to the Dining Cryptographers Protocol Summary Metrics for Differential Privacy in Concurrent Systems Lili Xu 1 , 3 , 4 , Konstantinos Chatzikokolakis 2 , 3 , Huimin

608 views • 49 slides
Metrics for Differential Privacy in Concurrent Systems Lili Xu 1 , 3 , 4 Konstantinos

Metrics for Differential Privacy in Concurrent Systems Lili Xu 1 , 3 , 4 Konstantinos

Introduction Three Pseudometrics Summary Metrics for Differential Privacy in Concurrent Systems Lili Xu 1 , 3 , 4 Konstantinos Chatzikokolakis 2 , 3 Huimin Lin 4 Catuscia Palamidessi 1 , 3 1 INRIA 2 CNRS 3 Ecole Polytechnique 4 Institute of

868 views • 49 slides
MA111: Contemporary mathematics . Jack Schmidt University of Kentucky August 27, 2012 Entrance

MA111: Contemporary mathematics . Jack Schmidt University of Kentucky August 27, 2012 Entrance

. MA111: Contemporary mathematics . Jack Schmidt University of Kentucky August 27, 2012 Entrance Slip (due 5 min past the hour): Convert the following linear ballots into a preference schedule: Ballot Ballot Ballot Ballot Ballot Ballot

356 views • 17 slides
Privacy Preserving Data Mining: Additive Data Perturbation Outline Input perturbation

Privacy Preserving Data Mining: Additive Data Perturbation Outline Input perturbation

Privacy Preserving Data Mining: Additive Data Perturbation Outline Input perturbation techniques Additive perturbation Multiplicative perturbation Privacy metrics Privacy metrics Summary Definition of dataset Column

280 views • 23 slides
Metrics for Differential Privacy in Concurrent Systems Lili Xu 1 , 3 , 4 Konstantinos

Metrics for Differential Privacy in Concurrent Systems Lili Xu 1 , 3 , 4 Konstantinos

Introduction Three Pseudometrics Comparison of the Three Pseudometrics Summary Metrics for Differential Privacy in Concurrent Systems Lili Xu 1 , 3 , 4 Konstantinos Chatzikokolakis 2 , 3 Huimin Lin 4 Catuscia Palamidessi 1 , 3 1 INRIA 2 CNRS 3

741 views • 52 slides
Effective Designs for the Administration of Federal Elections Karen Lynn-Dyson, Research

Effective Designs for the Administration of Federal Elections Karen Lynn-Dyson, Research

Effective Designs for the Administration of Federal Elections Karen Lynn-Dyson, Research Director U.S. Election Assistance Commission April 16, 2008 Background HAVA 241(b)(2) and 302(b) mandate that EAC study ballot designs for

531 views • 14 slides
Agenda What are ballot measures? Kellie Dupree What are 501(c)(3) organizations Director

Agenda What are ballot measures? Kellie Dupree What are 501(c)(3) organizations Director

Agenda What are ballot measures? Kellie Dupree What are 501(c)(3) organizations Director of Partnerships and Training allowed to do Ballot Initiative Strategy Center Direct Lobbying limits Stories from the field: Ballot measure

653 views • 16 slides
What we learned from Community Metrics Agenda Why are metrics used? How metrics are used

What we learned from Community Metrics Agenda Why are metrics used? How metrics are used

What we learned from Community Metrics Agenda Why are metrics used? How metrics are used in two Open Source communities Common pitfalls and ways to avoid them Why use Metrics? Transparency Who is contributing to the

166 views • 14 slides
Ballot Article 8 Tax Stabilization Ballot Language Shall the voters authorize the Richmond

Ballot Article 8 Tax Stabilization Ballot Language Shall the voters authorize the Richmond

Ballot Article 8 Tax Stabilization Ballot Language Shall the voters authorize the Richmond Selectboard to negotiate and enter a Tax Stabilization Agreement for Economic Development purposes, for the properties commonly known as the Creamery,

561 views • 10 slides
Overview of the Sponge, Duplex and Farfalle constructions Gilles Van Assche 1 1 STMicroelectronics

Overview of the Sponge, Duplex and Farfalle constructions Gilles Van Assche 1 1 STMicroelectronics

Overview of the Sponge, Duplex and Farfalle constructions Gilles Van Assche 1 1 STMicroelectronics Summer school on real-world crypto and privacy ibenik, Croatia, June 2019 Based on joint work with Elena Andreeva, Guido Bertoni, Joan Daemen,

907 views • 88 slides
Metrics & Scoring Committee September 16, 2016 Consent Agenda Approve August minutes.

Metrics & Scoring Committee September 16, 2016 Consent Agenda Approve August minutes.

Metrics & Scoring Committee September 16, 2016 Consent Agenda Approve August minutes. Vice Chair elections 2 Updates 3 Health Plan Quality Metrics Committee Applications opened on September 6 th and will close Oct 19 th

839 views • 71 slides
Privacy index metrics in digital communication Showing Caliopen's users how public their private

Privacy index metrics in digital communication Showing Caliopen's users how public their private

Privacy index metrics in digital communication Showing Caliopen's users how public their private messages are. Laurent Chemla, project owner Stanislas SABATIER, backend developer Caliopen handles all of your private exchanges Private

933 views • 9 slides
Election Related Regulations Susan Lapsley, Deputy Secretary of State, HAVA Director and

Election Related Regulations Susan Lapsley, Deputy Secretary of State, HAVA Director and

Election Related Regulations Susan Lapsley, Deputy Secretary of State, HAVA Director and Counsel Rachelle Delucchi, Elections Counsel Robbie Anderson, Elections Counsel Topics Ballot Printing Electronic Poll Books

570 views • 16 slides
1 London.ca/Elections 2 What is Ranked Choice Voting? The City of London used Ranked Choice

1 London.ca/Elections 2 What is Ranked Choice Voting? The City of London used Ranked Choice

1 London.ca/Elections 2 What is Ranked Choice Voting? The City of London used Ranked Choice Voting (a ranked ballot system) to elect municipal council in the 2018 election. This is a system that has been used around the world to tally

331 views • 9 slides
Community Council Elections 2015 Key facts: Elections will be held in all 25 community

Community Council Elections 2015 Key facts: Elections will be held in all 25 community

Community Council Elections 2015 Key facts: Elections will be held in all 25 community council areas Elections run as per agreed Scheme of Electoral Arrangements Delayed by one year from October 2014 Community Councillors elected

232 views • 10 slides

More recommend