Source Paper • “An Anonymous Electronic Voting Protocol An Electronic Voting Protocol for Voting Over the Internet”, Indrajit Ray, (revisited) Indrakshi Ray, Natarajan Narasimhamurthi Paul Valiant extending work by Dale Neal & Garrett Smith The Problem Desirable Properties • We want a protocol for voting over the • Accuracy internet that has all the salient features of – A cast vote cannot be altered voting in person – An invalid vote is not counted • These properties can be grouped under – Each voter can verify that his/her vote is counted the categories Accuracy , Democracy , Privacy , and No Unauthorized Proxy • Democracy – Only an eligible voter can participate – Each voter can cast only one vote Desirable Properties (II) Desirable Properties (III) • In principle, if some property of the • Privacy election is compromised, some authority – A ballot cannot be linked back to the voter should be able to detect and prove it. who cast it • At worst, some consortium of people – (No vote buying) A voter cannot prove to should be able to prove it without someone else what his/her vote is compromising their own privacy • No Unauthorized Proxy – One breach of this occurs in a protocol – If a voter decides not to cast his/her ballot, no violation; I may have a hard time proving to party can take advantage of this and cast a someone that a server is ignoring me without forged ballot giving up some privacy. 1
Assumptions The Protocol 1. Ballot distribution: BD → V: {y,sig BD {h(y)}} V , sig BD {h(voter certificate)} • Any two parties can arrange a secure – y is the ballot number communication channel – h is a one-way permutation 2. Generating a voter mark: m=h(y) • Additionally, a voter can send secure, 3. Voter Certification: a. V → CA: {m*{r} CA ,sig V {m*{r} CA }} CA , {V,voter certificate, sig BD {h(voter anonymous messages (votes) to a server certificate)}} CA b. CA → V: {sig CA {m*{r} CA }} V • Certain systems that do not interact with 4. Vote Casting: voters in the voting process are secure a. V → Public FTP site: {{vote, sig CA {m}},h(vote, sig CA {m})} VC b. Public FTP site → VC: {{vote, sig CA {m}},h(vote, sig CA {m})} VC – The voter registry that knows the names of all c. VC → Public FTP site: sig VC {h(vote, sig CA {m})} d. Public FTP site → V: sig VC {h(vote, sig CA {m})} registered voters is secure 5. Vote counting: every message received by the authorities is made public. Votes are tallied and verified The Revised Protocol (I) The Revised Protocol (II) 1. Ballot distribution: BD → V: {y,sig BD {h(y)}} V , sig BD {h(voter certificate)} 1. Ballot distribution: BD → V: {y,sig BD {h(y)}} V , sig BD {h(voter certificate)} – y is the ballot number – y is the ballot number To the extent that we can verify a Let m be random. y is now useless – h is a one-way permutation – h is a one-way permutation y-m pair, we can identify people’s 2. Generating a voter mark: m=h(y) 2. Voter Certification: votes. This should not happen. 3. Voter Certification: a. V → CA: {m*{r} CA ,sig V {m*{r} CA }} CA , {V,voter certificate, sig BD {h(voter certificate)}} CA a. V → CA: {m*{r} CA ,sig V {m*{r} CA }} CA , {V,voter certificate, sig BD {h(voter certificate)}} CA b. CA → V: {sig CA {m*{r} CA }} V b. CA → V: {sig CA {m*{r} CA }} V 3. Vote Casting: 4. Vote Casting: a. V → Public FTP site: {{vote, sig CA {m}},h(vote, sig CA {m})} VC a. V → Public FTP site: {{vote, sig CA {m}},h(vote, sig CA {m})} VC b. Public FTP site → VC: {{vote, sig CA {m}},h(vote, sig CA {m})} VC b. Public FTP site → VC: {{vote, sig CA {m}},h(vote, sig CA {m})} VC c. VC → Public FTP site: sig VC {h(vote, sig CA {m})} c. VC → Public FTP site: sig VC {h(vote, sig CA {m})} d. Public FTP site → V: sig VC {h(vote, sig CA {m})} d. Public FTP site → V: sig VC {h(vote, sig CA {m})} 4. Vote counting: every message received by the authorities is made public. Votes are tallied and verified 5. Vote counting: every message received by the authorities is made public. Votes are tallied and verified Clarification: Suppose that given y, an authority could construct m. This would violate privacy. An alternative interpretation is that m is produced (from y) by some method known only to the voter. Here the voter could be expected to demonstrate that he produced m. We propose instead that the voter picks a random y, then uses h to generate m. He can prove that he generated m by exhibiting y (no one else can invert the permutation). This construction has the desired property that no one knows the origin of m until the voter chooses to reveal it. We note that from the perspective of a protocol, the above outlined procedure appears as if the voter just choose a random m, as in the next slide. The Revised Protocol (III) The Revised Protocol (IV) 1. Ballot distribution: BD → V:sig BD {h(voter certificate)} 1. Ballot distribution: BD → V:sig BD {h(sig R {V})} – h is a one-way permutation – h is a one-way permutation 2. Voter Certification: 2. Voter Certification: a. V → CA: {m*{r} CA ,sig V {m*{r} CA }} CA , {V, voter certificate, a. V → CA: {m*{r} CA ,sig V {m*{r} CA }} CA , {V, sig R {V} R , sig BD {h(voter certificate)}} CA sig BD {h(sig R {V})}} CA The voter certificate identifies the voter as The function h(x) does not add any b. CA → V: {sig CA {m*{r} CA }} V b. CA → V: {sig CA {m*{r} CA }} V eligible for the election. It is signed by the protection if the parties already know x 3. Vote Casting: Registration authority. 3. Vote Casting: a. V → Public FTP site: {{vote, sig CA {m}},h(vote, sig CA {m})} VC a. V → Public FTP site: {{vote, sig CA {m}},h(vote, sig CA {m})} VC b. Public FTP site → VC: {{vote, sig CA {m}},h(vote, sig CA {m})} VC b. Public FTP site → VC: {{vote, sig CA {m}},h(vote, sig CA {m})} VC c. VC → Public FTP site: sig VC {h(vote, sig CA {m})} c. VC → Public FTP site: sig VC {h(vote, sig CA {m})} d. Public FTP site → V: sig VC {h(vote, sig CA {m})} d. Public FTP site → V: sig VC {h(vote, sig CA {m})} 4. Vote counting: every message received by the authorities is made 4. Vote counting: every message received by the authorities is made public. Votes are tallied and verified public. Votes are tallied and verified Note: Here we make a best effort to clarify something that is Clarification: We mean specifically that for any run of the protocol with the above marked functions h, there is a corresponding run of the protocol without it, because all the involved parties can both apply vaguely specified in the paper. h, or “invert” it when they already know the inverted value. 2
Recommend
More recommend