68d8a3b245265848f91d10d0e3a7a820.ppt
- Количество слайдов: 40
MODINT: Compact modular arithmetic Java class library for cellular phones, and its application to Secure E-Voting Hiroaki Kikuchi Junji Nakazato (Tokai University, Japan)
Outline n Motivation q Mobile Voting n n n E-Voting Protocol Mod. Int: Java Class System
July 23, 2002 n The first e-voting in Japan q Niimi City assembly poll (Okayama pref. ) q 19, 000 eligible voters q 97 % of voters said “it is easy to poll” q Tallying took 25 min. q But spent 2 hours for tallying absentee ballot E-voting Machine http: //premium. nikkeibp. co. jp/biz/e-gov/
Cellular Phone n n 83 million (65. 2%) New Feature q Internet Access (85%) q Java-enable q E-Money n Security q Biometrics Docomo F 506 ic (Fingerprint Authentication)
Roadmap n. M-Voting (Mobile) 200? n. I-Voting (Internet) 2002 n. E-Voting (Electronic)
Difficulties n Limited Resources n Privacy Issue q CPU Power q Authentication q Memory q Tracing Voter 30 k. B (Docomo 506 i) q Java J 2 ME Subset of SDK No Big. Interger class
Malicious Students (voters) double casting non-eligible voter Good Bad Bad
Malicious Professor (counter) trace voters 1 ADM 02 1 ADM 03 1 ADM 04 Good Bad
Conflicting Requirements n Authentication q Professors don’t trust students. q to check eligible voters q to check no double casting n Anonymity q Students don’t trust professors. q to prevent from tracing voter (who casts bad evaluation) q to let voters cast honestly and peacefully
August 5 th 2002. n Basic Resident Register Network q Individual info: Address, Names, Birthdays, Sex. q 11 -digit Resident's certificate code. q A copy of resident’s certificate is available at any office around Japan. q Privacy Concern Kokubunji, Hino, Kunitachi: postponement of its operation. http: //www. lasdec. nippon-net. ne. jp/
Our Approach n Java Cryptographic Library q Development of Compact Modular Arithmetic n Secure Protocol for E-Voting q Privacy-Preserving Voting Protocol q Zero-Knowledge Proof
The Idea: Oblivious Counter ? = Good + Bad addition without decrypting 1 ADM 02 1 ADM 03 1 ADM 04 Good ciphertext Good Bad
Model C S=(s 1, s 2, . . , sn) T(bi) S’ A E[b 1] T=b 1+b 2+b 3 V 1 V 2 V 3 b 1 in {0, 1} b 2 b 3
1. LFSR n ƒ(x) = x 3 + x + 1 mod 2 x 3 x 2 D 3 q period: 23 – 1 = 7 x D 2 x 0 D 1 000 001 010 100 011 110 111 101 001
2. Homomorphic Encryption n Public-key Encryption E[x] q Homomorphism over GF(2) a, b in {m 0, m 1} E[a] x E[b] = E[a b] q Indistinguishablity » Given E[m 0] and E[m 1], hard to figure E[m 0] q Distributed Threshold Encryption » Key-generation, decryption (t-out-of-n) q Verifiable encryption
Homomorphism over GF(2) a, b E x ⊕ a⊕b E[a], E[b] E E[a⊕b]
Elgamal Encryption n Homomorphism E[a] = (ayr, gr) E[b] = (bys, gs) (abyr+s, gr+s) = E[ab] n 1 -bit EXOR E[1] x E[1] = E[1] x E[-1] = E[-1] x E[1] = E[-1]x E[-1] = E[1] 0 0=0 0 1=1 1 0=1 1 1=0
Protocol: E-Voting Vi b in {-1, 1} Vote C A A 1, A 2, A 3 = (E[-1], E[1]) SK A 1, A 2, A 3 C 1, C 2, C 3, PK Update A 1’=C 1 A 2’=C 2 A 3’=C 3 C 1, C 2, C 3 Decrypt 1, -1
3. Proof of Knowledge n Voter proves that his vote are either E[A 3], E[A 1 A 3], E[A 2] or E[A 1], E[A 2], E[A 3] without revealing his vote b (b = -1) (b = 1)
Evaluation n Security q Under the DDH assumption, no counter learns the vote. q With zero-knowledge proof, any misbehavior of voter, such as, double casting or bogus ballot, can be detected. n Performance q Communication and computational cost are O(log n).
Modint: Modular Arithmetic class Big. Integer Mod. Int Size 40 KB 6 KB # of methods 43 15 Integer object signed, unsigned, fixvariable length two arrays of one array int, sign, length
Problem in Big. Integer n c = a × b mod p a Modint c ≡ a × b (mod p) b c= a. multiply(b) a c= a. multiply(b) c c 2= c. mod(p) c’ c b
Sample Source Code n El. Gamal Encryption (c = myr mod p) p = new Mod. Int(“ 101”); m = p. get. Instance(“ 15”); y = p. get. Instane(“ 20”); q = new Mod. Int(“ 17”); r = q. get. Instance(“ 8”); c = m. multiply(y. power(r));
Implementation (1) n Java Applet with Http server (CGI)
Implementation (2) on Cellular phone
Processing Time [s] Performance 8 min. for 512 bit ciphertext and 3 -bit counter.
Bottleneck - Encryption
Reduction: Pre-Computation n Update Register Ci+1=E[1] × Ai × Anai E[1] = (gr, yr)
Summary n We have q proposed a protocol for Oblivious Counter q developed a compact Java modular arithmetic library, Mod. Int, and applies it to mobile voting system, q shown that 8 minutes for casting vote. n Future Study q Improvement performance q efficient zero-knowledge proof
1. Attempt in Niimi city The first e-voting in Japan
Casting n n n Insert the card to the machine. Choose a candidate and “click” by pen. Pull out the voting card on which the chosen candidate is stored. http: //premium. nikkeibp. co. jp/biz/e-gov/spnpa 01. shtml
Tallying n n Correct all votes from distributed polling booths (by car) Show the flash memory to witness (? ) Perform vote tallying using counting server (two PCs). (20 min. ) (manually) Tally absentee ballots (2 hours) counter Witness http: //premium. nikkeibp. co. jp/biz/e-gov/spnpa 01. shtml
What is good for e-voting? n Accuracy q No human mistake (? ) n Timeliness q No delay to tally many ballots n Low cost q No spent a lot of papers for ballot n Usability for voter q No requirement of writing names of candidates q Barrier-free voting machine
2. On Electronic Voting requirements
Approaches 1. Polling booth Niimi city (June 2002), Hiroshima city (2003) 2. Anonymous channel NEC digi-shuff (Sonobe Kyoto, May 2002), Votepia (FIFA World Cup, On-line Korea), e. Vote (U. S. ) 3. Oblivious counter Tokai univ. Off-line
Conventional voting Polling booth B Administrator A partition For eavesdropping List of eligible voters For double -casting voter V Ballot counting box C ballot Stamp of A For faked ballot shuffle For privacy
1. E-voting tech. in Niimi city A encryption For eavesdropping List of eligible voters For double -casting voter V Voting machine B Counting server C Voting smart card Compact Digital flash signature of A. memory For faced ballot Off-line For privacy
Anonymity n Relationship between players and knowledge Voting Counterin registration machine g server A B C Who V What b n Note: A, B, and C are not wired (off-line)
3. Oblivious Counter n State Machine (server) q Input: some ciphertexts of vote (1 or 0) q Function: Addition without decrypting q Output: the ciphertext of voting result n Feature q Does not know secret key q Does not learn the result q Does not require anonymous channel
Anonymity: Oblivious Counter Registrati on A Who Vi What bi Tally (b 1+. . +bn) Counter Ci Counters C 1, . . , Ck
68d8a3b245265848f91d10d0e3a7a820.ppt