Скачать презентацию Electronic Voting and Receipt-freeness Byoungcheon Lee 1 2 Скачать презентацию Electronic Voting and Receipt-freeness Byoungcheon Lee 1 2

70961e503621281f24095f54c245f091.ppt

  • Количество слайдов: 48

Electronic Voting and Receipt-freeness Byoungcheon Lee 1, 2, Colin Boyd 1, Ed Dawson 1 Electronic Voting and Receipt-freeness Byoungcheon Lee 1, 2, Colin Boyd 1, Ed Dawson 1 1 Information Security Research Centre, QUT 2 Joongbu University, Korea ARC Grant No: LX 0346868 Information Security Research Centre MCS Workshop, Melbourne

Contents 1. Introduction to electronic voting l l Classification Electoral systems Security requirements Approaches Contents 1. Introduction to electronic voting l l Classification Electoral systems Security requirements Approaches to electronic voting 2. Three main approaches l l l Blind signature based schemes Homomorphic encryption based schemes Mixnet based schemes Information Security Research Centre 2 MCS Workshop, Melbourne

Contents 3. Receipt-free voting protocols l l Receipt-freeness Hirt-Sako scheme [HS 00] In Homomorphic Contents 3. Receipt-free voting protocols l l Receipt-freeness Hirt-Sako scheme [HS 00] In Homomorphic encryption based voting [LK 02] In mixnet based voting [Lee et. al. 03] 4. Real world l l Votopia – 2002 Worldcup voting project, ICU, Korea Vote. Here – Seattle based active voting company 5. Conclusion Information Security Research Centre 3 MCS Workshop, Melbourne

1. Introduction to Electronic Voting Information Security Research Centre MCS Workshop, Melbourne 1. Introduction to Electronic Voting Information Security Research Centre MCS Workshop, Melbourne

Electronic Voting l Implement real world voting (election) by electronic means (using computer and Electronic Voting l Implement real world voting (election) by electronic means (using computer and network) User Mobile Network Multimedia Library University Internet Shopping Banking Information Security Research Centre Electronic voting 5 MCS Workshop, Melbourne

Why Electronic Voting? l Advantages l l Convenience for voters Efficiency of management, counting Why Electronic Voting? l Advantages l l Convenience for voters Efficiency of management, counting Provide alternative choice for voters rather than traditional paper-based voting Electronic voting can solve the problem of decreasing participation rate in voting l Younger generation prefers electronic means Information Security Research Centre 6 MCS Workshop, Melbourne

Classification of e-voting l Computer voting (kiosk, electronic voting booth) l l l Electronic Classification of e-voting l Computer voting (kiosk, electronic voting booth) l l l Electronic voting using computer in voting booth Convenient user interface Efficient management and tally But, just half way to electronic voting Internet voting l l l Electronic voting using computers connected to the Internet Can participate in voting in any place over the Internet Proceeding to mobile voting Information Security Research Centre 7 MCS Workshop, Melbourne

Electoral Systems 1. Plurality systems (First-Past-The-Post) l l l Winner is who received the Electoral Systems 1. Plurality systems (First-Past-The-Post) l l l Winner is who received the most votes regardless of majority requirement UK, Canada, USA Single non-transferable vote : Japan Block vote, Limited vote : Britain Approval voting : USA 2. Majoritorian systems l l l Winner is required to receive more than half Second ballot Preferential voting (Alternative voting) in Australia Information Security Research Centre 8 MCS Workshop, Melbourne

Security Requirements l Privacy (confidentiality) Prevention of double voting Universal verifiability (correctness) Fairness Robustness Security Requirements l Privacy (confidentiality) Prevention of double voting Universal verifiability (correctness) Fairness Robustness Receipt-freeness (prevent vote buying, coercion) l Efficiency, Mobility, Convenience, Flexibility l l l Information Security Research Centre 9 MCS Workshop, Melbourne

Approaches to Electronic Voting l Schemes using blind signature l [Cha 88], [FOO 92], Approaches to Electronic Voting l Schemes using blind signature l [Cha 88], [FOO 92], [OMAFO 99] l Efficient, but requires anonymous channel (frequently implemented using mixnet) l Schemes using mixnet l [PIK 93], [SK 95], [Abe 98], [HS 00], [FS 01], [Neff 01] l Require huge computation for mixing l Schemes using homomorphic encryption l [Ben 87], [SK 94], [CGS 97], [LK 00], [Hirt 01], [MBC 01], [BFPPS 01], [LK 02] l Huge proof size, restriction on message encoding l Many researches on receipt-freeness Information Security Research Centre 10 MCS Workshop, Melbourne

2. Three Main Approaches 2. 1 Based on blind signature 2. 2 Based on 2. Three Main Approaches 2. 1 Based on blind signature 2. 2 Based on homomorphic encryption 2. 3 Based on mixnet Information Security Research Centre MCS Workshop, Melbourne

2. 1 Based on Blind Signature l Main idea l Administrator issues valid ballots 2. 1 Based on Blind Signature l Main idea l Administrator issues valid ballots using blind signature (User authentication and vote secrecy) l Use anonymous channel to hide the voter-vote relationship (mainly implemented with mixnet) l Criticism l Hard to assume anonymous channel l If mixnet is used, blind signature is not necessary l User chosen randomness in blinding can work as a receipt Information Security Research Centre 12 MCS Workshop, Melbourne

Overview Talliers Administrator (1) Voter registration (encrypted ballot +blind signature) registration (3) counting (Threshold Overview Talliers Administrator (1) Voter registration (encrypted ballot +blind signature) registration (3) counting (Threshold decryption) (2) Voting (encrypted ballot + signature) Blinding Unblinding Anonymous channel Voters BBS Information Security Research Centre 13 MCS Workshop, Melbourne

Many Implementation Examples l Sensus l l L. F. Cranor, Washington Univ. http: //www. Many Implementation Examples l Sensus l l L. F. Cranor, Washington Univ. http: //www. ccrc. wustl. edu/~lorracks/sensus FOO 92 Assumption : anonymous channel, key distribution EVOX l l l M. A. Herschberg, R. L. Rivest, MIT, http: //theory. lcs. mit. edu/~cis/voting. html FOO 92 + Anonymizer Assumption : key distribution Information Security Research Centre 14 MCS Workshop, Melbourne

2. 2 Based on Homomorphic Encryption l Main idea l Tally the summed ballots 2. 2 Based on Homomorphic Encryption l Main idea l Tally the summed ballots with a single threshold decryption using the homomorphic property of encryption (keep the privacy of ballots) l Each ballot should be valid (voter should provide the proof of validity of ballot) l Relatively easy to design receipt-free voting schemes l Criticism l Message encoding is very restrictive l Large amount of ZK proofs, overload in computation and communication Information Security Research Centre 15 MCS Workshop, Melbourne

Overview Talliers (2) Counting (Threshold decryption) (1) Voting • Encrypted ballot • Proof of Overview Talliers (2) Counting (Threshold decryption) (1) Voting • Encrypted ballot • Proof of validity • Signature Sum up valid ballots Voters BBS Information Security Research Centre 16 MCS Workshop, Melbourne

2. 3 Based on Mixnet l Main idea l l Voters take part in 2. 3 Based on Mixnet l Main idea l l Voters take part in the voting in authentic way Encrypted ballots are shuffled using mixnet (anonymity) Multiple talliers open each ballot in a threshold manner (open only after mixing) Criticism l Large amount of computation for mixing Information Security Research Centre 17 MCS Workshop, Melbourne

Overview Mixers (1) Voting Encrypted Ballot Voters (2) Mixing Proof of correct Mixing BBS Overview Mixers (1) Voting Encrypted Ballot Voters (2) Mixing Proof of correct Mixing BBS 1 BBS 2 (3) Opening (Threshold decryption) Talliers Information Security Research Centre 18 MCS Workshop, Melbourne

3. Receipt-free Voting Protocols 3. 1 Receipt-freeness 3. 2 In Hirt-Sako scheme [HS 00] 3. Receipt-free Voting Protocols 3. 1 Receipt-freeness 3. 2 In Hirt-Sako scheme [HS 00] 3. 3 In Homomorphic encryption based voting [LK 02] 3. 4 In mixnet based voting [Lee et. al. 03] Information Security Research Centre MCS Workshop, Melbourne

3. 1 Receipt-freeness l Receipt-freeness [BT 94] l. A unique security requirement of electronic 3. 1 Receipt-freeness l Receipt-freeness [BT 94] l. A unique security requirement of electronic voting l Voter should not be able to construct a receipt l Voter must keep his vote private l Why is it important? l Vote buying is a common experience in real political voting (threat, solicitation) l Previous works l Studies on receipt-freeness had been done mainly in homomorphic encryption based schemes Information Security Research Centre 20 MCS Workshop, Melbourne

How to Achieve Receipt-freeness? l Using some kind of randomization service l l l How to Achieve Receipt-freeness? l Using some kind of randomization service l l l Voter has to lose his knowledge on randomness Designated-verifier re-encryption proofs Channel assumption is used l l One-way untappable channel from voter to authority [Oka 97] One-way untappable channel from authority to voter [SK 95, HS 00] Two-way untappable channel between voter and authority (using voting booth) [BT 94, LK 00, Hirt 01] Internal channel [MBC 01, LK 02, Lee 03] Information Security Research Centre 21 MCS Workshop, Melbourne

Tamper Resistant Hardware l Assumptions required for receiptfreeness l l l Third party randomizer Tamper Resistant Hardware l Assumptions required for receiptfreeness l l l Third party randomizer (trusted) Untappable channel (voting booth) Tamper resistant randomizer (TRR) l l can replace the role of “Third party randomizer + Untappable channel” Ultimate place to store user’s secret information Information Security Research Centre 22 MCS Workshop, Melbourne

Re-encryption (Randomization) Voter Randomizer (TRR) First ballot Final ballot (Signed) Check DVRP (designated verifier Re-encryption (Randomization) Voter Randomizer (TRR) First ballot Final ballot (Signed) Check DVRP (designated verifier re-encryption proof) through an untappable channel Information Security Research Centre 23 MCS Workshop, Melbourne

Designated-verifier Re-encryption Proof l Designated verifier proof l l Prove the knowledge of either Designated-verifier Re-encryption Proof l Designated verifier proof l l Prove the knowledge of either the witness in question or the private key of the designated verifier Using the chameleon commitment scheme witness in question or private key of the designated verifier l l Convincing only the designated verifier Completely useless when transferred to other parties, since the verifier can open the proof in any way he likes Information Security Research Centre 24 MCS Workshop, Melbourne

3. 2 Receipt-freeness in [HS 00] l Hirt and Sako, “Efficient receipt-free voting based 3. 2 Receipt-freeness in [HS 00] l Hirt and Sako, “Efficient receipt-free voting based on homomorphic encryption”, Eurocrypt 2000 l Basic idea: “Mix-then-choose” approach l Primitives l 1 -out-of-L re-encryption proof : authority proves publicly that she shuffles the ballots correctly l Designated-verifier re-encryption proof : authority proves privately to voter that which encrypted ballot is which Information Security Research Centre 25 MCS Workshop, Melbourne

Receipt-freeness in [HS 00] Re-encryption (randomization) Secure untappable channel 1 -out-of-L re-encryption proof Casting Receipt-freeness in [HS 00] Re-encryption (randomization) Secure untappable channel 1 -out-of-L re-encryption proof Casting Designated-verifier re-encryption proof (personally verifiable how shuffling was performed, but this proofs cannot be transferred) Information Security Research Centre 26 Voter MCS Workshop, Melbourne

3. 3 In Homomorphic Encryption Based Voting [LK 02] l l Lee and Kim, 3. 3 In Homomorphic Encryption Based Voting [LK 02] l l Lee and Kim, “Receipt-free electronic voting scheme with a tamper-resistant randomizer”, ICISC 2002 Basic Idea: Improved K-out-of-L voting scheme using l l Designated-verifier re-encryption proof (DVRP) Divertible proof of validity Divertible proof of difference Replace untappable channel and a third party randomizer by a tamper-resistant randomizer (TRR) Information Security Research Centre 27 MCS Workshop, Melbourne

Overview of Voting Protocol (1) System set-up Admin N Talliers (2) Registration (4) Tallying Overview of Voting Protocol (1) System set-up Admin N Talliers (2) Registration (4) Tallying Issue TRR (t, N) threshold decryption M Voters (3) Voting Ballot generation Ballot + Proof of validity TRR Information Security Research Centre BBS 28 MCS Workshop, Melbourne

Voting Stage TRR Voter BBS Encrypted first ballot Re-encrypted final ballot (signed) Designated-verifier re-encryption Voting Stage TRR Voter BBS Encrypted first ballot Re-encrypted final ballot (signed) Designated-verifier re-encryption proof Divertible proof of validity (signed) Divertible proof of difference (signed) Sign (approve) Voting (post signed messages) final ballot, proof of validity, proof of difference first signed by TRR and then signed by voter Information Security Research Centre 29 MCS Workshop, Melbourne

3. 4 In Mixnet-based Voting l l Lee, Boyd, Dawson, et. al. , “Providing 3. 4 In Mixnet-based Voting l l Lee, Boyd, Dawson, et. al. , “Providing receiptfreeness in mixnet-based voting protocols”, ICISC 2003 Incorporate receipt-freeness in mixnet-based electronic voting l l l Designated-verified re-encryption proof (DVRP) Using a tamper resistant randomizer (TRR) Mixnet voting + Randomization by TRR l l l 1. Voting (Randomization by TRR) 2. Mixing 3. Tally Information Security Research Centre 30 MCS Workshop, Melbourne

Mixnet Schemes l Mixnet provides anonymity service Inputs l Outputs Classification (based on mixing Mixnet Schemes l Mixnet provides anonymity service Inputs l Outputs Classification (based on mixing mechanism) l l l Mixer Decryption mixnet Re-encryption mixnet Classification (based on correctness proof) l l Verifiable mixnet: [Abe 99], [FS 01], [Nef 01], [Gro 03] Optimistic mixnet: [Jak 98], [Gol 02] Information Security Research Centre 31 MCS Workshop, Melbourne

In Mixnet-based Voting Overview (1) System set-up n Talliers m Mixers (2) Registration (5) In Mixnet-based Voting Overview (1) System set-up n Talliers m Mixers (2) Registration (5) Tallying Issue TRR (t, N) threshold decryption l Voters (3) Voting Ballot generation (4) Mixing BBS TRR Information Security Research Centre 32 MCS Workshop, Melbourne

(3) Voting stage Check DVRP BBS Voter Double signed final ballot first signed by (3) Voting stage Check DVRP BBS Voter Double signed final ballot first signed by TRR and then signed by voter • Re-encrypted final ballot (signed) Encrypted first ballot • DVRP Internal channel TRR Information Security Research Centre 33 MCS Workshop, Melbourne

4. Real World 4. 1 Votopia http: //mvp. worldcup 2002. or. kr/ 4. 2 4. Real World 4. 1 Votopia http: //mvp. worldcup 2002. or. kr/ 4. 2 Vote. Here http: //www. votehere. com Information Security Research Centre MCS Workshop, Melbourne

Activities in the Real World l International Projects l l Internet Voting Technology Alliance, Activities in the Real World l International Projects l l Internet Voting Technology Alliance, http: //www. ivta. org EU Cyber. Vote, http: //www. eucybervote. org Votopia, http: //mvp. worldcup 2002. or. kr/ Companies l l l Vote. Here. Net, http: //www. votehere. net/ Cyber. Vote. Com, http: //www. cybervote. com/ SCYTL, http: //www. scytl. com/ Campus-Vote, http: //www. campus-vote. com/ Exnet, http: //exnet. bizmag. co. kr Hwajinsoft, http: //www. hwajinsoft. co. kr Information Security Research Centre 35 MCS Workshop, Melbourne

4. 1 Votopia l l Developed by ICU (Korea) and NTT (Japan) Blind signature 4. 1 Votopia l l Developed by ICU (Korea) and NTT (Japan) Blind signature based Internet voting system l l l Anonymous channel by using mixnet Using Internet web browser Voting client is implemented by Java applet PKI based voter authentication Served for the selection of MVPs in 2002 FIFA Worldcup Korea/Japan l http: //mvp. worldcup 2002. or. kr/ Information Security Research Centre 36 MCS Workshop, Melbourne

Participants in the Project management Development of system Running the MVP voting C&IS Lab. Participants in the Project management Development of system Running the MVP voting C&IS Lab. ICU Prototype Crypto library NTT Insol Soft User Interface DB management STI U. Tokyo Internet Voting System for MVP of 2002 worldcup System Verification Java crypto library SECUi. COM KSIGN KISITI PKI service Hardware Resource Information Security Research Centre 37 Anti-Hacking MCS Workshop, Melbourne

Overall Configuration Voters R 1. After setting up secure session, download registration form Web Overall Configuration Voters R 1. After setting up secure session, download registration form Web servers CA server R 2. Send encrypted public key & registration information with session key R 3. Request certificate R 4. Issue certificate nload. Dow g votin t apple R 5. Save certificate V 1 C 2 . R V 3. Request Schnorr blind signature V 4. Receive Schnorr blind signature V 5. Verify admin’s blind signature . S C 3 V 2. Encrypt the ballot with counter’s public key in El. Gamal encryption Admin server en ec dq eiv ue ry et he DB server fo rt fin al all yin re su g lt V 6. Send encrypted ballot & admin’s digital signature V 7. Verify admin’s signature & decrypt ballot using counter’s private key Counter server Information Security Research Centre V 8/C 1. Save all decrypted ballots 38 MCS Workshop, Melbourne

4. 2 Vote. Here. net l Seattle based active voting company l l http: 4. 2 Vote. Here. net l Seattle based active voting company l l http: //www. votehere. net Many voting trials l l l Alaska Republican Party vote in January 2000 e-voting pilots for California, Arizona, Washington, and Alaska Swindon, UK, the first e-voting public sector vote in the world, over 4, 000 voters participated, May 2002 Information Security Research Centre 39 MCS Workshop, Melbourne

Technologies l Homomorphic encryption based techniques l l l Voter receives smart key card Technologies l Homomorphic encryption based techniques l l l Voter receives smart key card with unique ballot sequence number Use electronic voting machine (voting booth) Give a digital signature printed receipt to voters Heavily depend on trusted parties and machines (must believe verification code) Shuffling technology, A. Neff [ACM CCS 2001] l Verifiable permutation using iterated logarithmic multiplication proof Information Security Research Centre 40 MCS Workshop, Melbourne

Voting Stages Smart key card Voting machine Vote on the screen Printed receipt Verify Voting Stages Smart key card Voting machine Vote on the screen Printed receipt Verify via web Information Security Research Centre 41 MCS Workshop, Melbourne

5. Conclusion 5. 1 Korean activities 5. 2 Australian activities Information Security Research Centre 5. Conclusion 5. 1 Korean activities 5. 2 Australian activities Information Security Research Centre MCS Workshop, Melbourne

Korean Activities l Korea is a strong IT-based country l l e-government provides many Korean Activities l Korea is a strong IT-based country l l e-government provides many services currently l l Broadband Internet connection to more than 70% homes 30 million mobile users among 47 million population More than 10 million Certificate users (Internet banking) http: //www. egov. go. kr/ E-voting activities l l l Public forums, seminars E-voting for presidential candidate election in Democratic party, 2002 Some political parties are using Internet voting Information Security Research Centre 43 MCS Workshop, Melbourne

Australian Activities l Organizations l l Electoral Council of Australia (ECA) Australian Election Commission Australian Activities l Organizations l l Electoral Council of Australia (ECA) Australian Election Commission (AEC) ACT Electoral Commission Electronic voting trial in October 2001 l l Australian Capital Territory (ACT) Electoral Commission http: //www. elections. act. gov. au Information Security Research Centre 44 MCS Workshop, Melbourne

Comparison l Computer voting l l l A secure environment, but not convenient Many Comparison l Computer voting l l l A secure environment, but not convenient Many trials in many countries: USA, UK, Australia, Korea, etc… Using just network security mechanism (? ) – IPSec, SSL Suitable for serious political elections Internet voting l l More easy to participate in Have to use secure electronic voting protocols Authentication, Vote buying, Coercion issues Suitable for non-serious elections Information Security Research Centre 45 MCS Workshop, Melbourne

Internet Banking vs. Internet Voting ATM Banking Computer Voting Internet Banking Internet Voting Personal Internet Banking vs. Internet Voting ATM Banking Computer Voting Internet Banking Internet Voting Personal purpose Non-serious(? ) Secure environment Public communication channel Public purpose Serious (political) Non-serious (non-political) Information Security Research Centre 46 MCS Workshop, Melbourne

Further Works l Everlasting goal in research l l How to provide Australian preferential Further Works l Everlasting goal in research l l How to provide Australian preferential voting? l l l Designing voting schemes with more security, efficiency, and additional features Probably using mixnet voting approach Using real cryptographic protocols How to make it work in the real world? l l l More public activities – forum, workshop, standardization Supported by the government Good start with non-serious uses Information Security Research Centre 47 MCS Workshop, Melbourne

Q&A Information Security Research Centre MCS Workshop, Melbourne Q&A Information Security Research Centre MCS Workshop, Melbourne