minimum disclosure counting for the alternative vote
play

Minimum Disclosure Counting for the Alternative Vote Roland Wen and - PowerPoint PPT Presentation

Minimum Disclosure Counting for the Alternative Vote Roland Wen and Richard Buckland School of Computer Science and Engineering The University of New South Wales Sydney, Australia {rolandw,richardb}@cse.unsw.edu.au VOTE-ID 2009 Outline


  1. Minimum Disclosure Counting for the Alternative Vote Roland Wen and Richard Buckland School of Computer Science and Engineering The University of New South Wales Sydney, Australia {rolandw,richardb}@cse.unsw.edu.au VOTE-ID 2009

  2. Outline Background The Alternative Vote Signature Attacks Security Requirements Counting Scheme Overview Tally Protocol Exclude Protocol The Winner Discussion 2 / 24

  3. Background The Alternative Vote The Alternative Vote ◮ Preferential electoral system ◮ Voters express preferences for all candidates ◮ Alternative vote ◮ Elect single candidate ◮ Winner must obtain majority (> 50%) of votes ◮ Many rounds of counting 3 / 24

  4. Background The Alternative Vote Example: Alternative Vote Elections in Lilliput-Blefuscu ◮ 100 voters ◮ 40 Lilliputians (Little-endians) ◮ 60 Blefuscudians (Big-endians) ◮ 4 candidates ◮ 1 Little-endian (L) ◮ 3 Big-endians 1. Hard eggs (BH) 2. Medium eggs (BM) 3. Soft eggs (BS) 4 / 24

  5. Background The Alternative Vote Example: Counting the Votes ◮ Counting takes place in rounds ◮ Each round is “last” past the post election 1. Calculate tallies using highest preference of each ballot 2. Exclude last candidate from counting 5 / 24

  6. Background The Alternative Vote Example: Counting the Votes ◮ Counting takes place in rounds ◮ Each round is “last” past the post election 1. Calculate tallies using highest preference of each ballot 2. Exclude last candidate from counting Candidate L BH BM BS Round 1 40 20 25 15 6 / 24

  7. Background The Alternative Vote Example: Counting the Votes ◮ Counting takes place in rounds ◮ Each round is “last” past the post election 1. Calculate tallies using highest preference of each ballot 2. Exclude last candidate from counting Candidate L BH BM BS Round 1 40 20 25 15 Round 2 40 25 35 - 7 / 24

  8. Background The Alternative Vote Example: Counting the Votes ◮ Counting takes place in rounds ◮ Each round is “last” past the post election 1. Calculate tallies using highest preference of each ballot 2. Exclude last candidate from counting Candidate L BH BM BS Round 1 40 20 25 15 Round 2 40 25 35 - Round 3 40 - 60 - 8 / 24

  9. Background Signature Attacks Signature Attacks ◮ Secret ballot provides privacy and anonymity ◮ Signature attacks link voters to the votes they cast ◮ ⇒ Breaks receipt-freeness during the counting ◮ Exploited by Italian Mafia ◮ Eg signed ballot with specified permutation of preferences ◮ Highly likely that randomly chosen covert signature is unique ◮ Number of possible signatures is factorial in number of candidates ◮ 20 candidates ⇒ 19 ! ≈ 10 17 signatures 9 / 24

  10. Background Signature Attacks Signature Attacks on Partial Counting Information ◮ May still detect absence of some signatures ◮ ⇒ Voters who disobey risk getting caught out ◮ ⇒ Sufficient for bribery and coercion ◮ Eg round tallies reveal that some signatures never occur Candidate L BH BM BS Round 1 40 20 25 15 Round 2 40 25 35 - ◮ Increase chance of detecting absent signatures ◮ Eg by embedding contrived sequences of preferences in signatures 10 / 24

  11. Background Signature Attacks How To Prevent Signature Attacks ◮ Currently no definition for what counting information enables effective signature attacks ◮ All information is potentially dangerous ◮ ⇒ Safest approach is that counting reveals nothing apart from the result 11 / 24

  12. Background Security Requirements Security Requirements for Cryptographic Counting 1. Minimum disclosure ◮ Reveal only the identity of the winning candidate 2. Universal verifiability ◮ Operations are public and accompanied by proofs 3. Robustness 12 / 24

  13. Counting Scheme Minimum Disclosure Counting Scheme Background The Alternative Vote Signature Attacks Security Requirements Counting Scheme Overview Tally Protocol Exclude Protocol The Winner Discussion 13 / 24

  14. Counting Scheme Overview Main Idea of the Counting Scheme 1. Hide the ordering of ciphertexts ◮ Mix-nets randomly permute and re-encrypt list of ciphertexts ◮ Rotators randomly cyclically shift and re-encrypt list of ciphertexts 2. Seek ciphertexts with certain properties ◮ Plaintext equality / inequality tests compare � m 1 � , � m 2 � ◮ Tests reveal only boolean result m 1 = m 2 or m 1 ≥ m 2 3. Perform open operations on identified ciphertexts ◮ Eg homomorphic addition � m 1 � ⊞ � m 2 � = � m 1 + m 2 � 14 / 24

  15. Counting Scheme Overview Inputs to the Counting Scheme ◮ Counting starts after voting finished ◮ Inputs: 1. List of all candidates (encrypted and anonymous) 2. List of ballots ◮ Each ballot is list of encrypted preferences in decreasing order of preference ◮ Values encrypted with additively homomorphic cryptosystem (eg Paillier) 15 / 24

  16. Counting Scheme Tally Protocol Tallying the Votes ◮ Construct counters (encrypted candidate-tally pairs) ◮ For highest preference of each ballot, increment appropriate counter 16 / 24

  17. Counting Scheme Tally Protocol Incrementing a Counter 1. Mix all counters 2. Use plaintext equality tests to locate counter for BS 3. Openly increment tally for BS using homomorphic addition 17 / 24

  18. Counting Scheme Exclude Protocol Excluding the Last Candidate ◮ Mix the counters ◮ Use plaintext inequality tests to compare encrypted tallies ◮ ⇒ Minimum counter (for BS ) ◮ Remove encrypted preference for BS from each ballot 18 / 24

  19. Counting Scheme Exclude Protocol Removing the Excluded Candidate 1. Rotate all ballots to conceal positions of preferences 2. Use plaintext equality tests to locate preference for BS 3. Openly delete encrypted preference for BS 19 / 24

  20. Counting Scheme Exclude Protocol Restoring the Ballots 1. Rotate all ballots to conceal positions of deleted preferences 2. Use plaintext equality tests to locate marker 3. Openly undo cyclic shifts to return ballots to original ordering 20 / 24

  21. Counting Scheme The Winner Revealing the Winner ◮ Repeat rounds until only one remaining candidate ◮ Constant number of rounds ◮ Decrypt and reveal winner 21 / 24

  22. Discussion Discussion Background The Alternative Vote Signature Attacks Security Requirements Counting Scheme Overview Tally Protocol Exclude Protocol The Winner Discussion 22 / 24

  23. Discussion Summary ◮ Signature attacks problematic for preferential counting ◮ Minimum disclosure property ◮ Prevents signature attacks ◮ Minimum Disclosure Counting Scheme ◮ Hide and seek paradigm preserves secrecy ◮ Plaintext equality and inequality tests, mix-nets, rotators ◮ Provide privacy, universal verifiability and robustness ◮ Total complexity is O ( AC 2 Vk ) 23 / 24

  24. Discussion Open Problems 1. What is the optimal complexity? ◮ At least O � � CV distributed ballot operations ◮ Limiting factor appears to be the removal of excluded candidate ◮ Seems to require O � � C work per ballot 2. What are the implications of weakening minimum disclosure? ◮ How can we assess if specific partial counting information is sensitive? 24 / 24

Recommend


More recommend