forked from edfelten/cos432-lecture-notes
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Lecture14.tex
129 lines (99 loc) · 5.24 KB
/
Lecture14.tex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
%!TEX root = InfoSec.tex
% Lecture 14: 3 November 2014
\sektion{14}{Electronic voting}
Requirements
\begin{itemize}
\item only authorized voters can vote
\item $\leq$ 1 ballot per voter
\item ballots counted as cast
\item secret ballot; "receipt-free" (cannot prove to 3rd party how you voted)
\end{itemize}
Logically, this involves two steps: (1) cast ballot into ballot box and (2) tally ballot box to get result.
\textbf{Old fashioned paper ballots} are cheap to operate, easy to understand, but problematic if ballot is long/complex. Trickery is possible to: For example, \textit{chain voting} is when ``goons'' fill out a ballot and coerce people to deposit that ballot into the box and return the blank one to them; repeats. There needs to also be a chain of custody on the ballot box.
\subsektion{End-to-End (E2E) crypto voting}
\begin{example}
Benaloh\\
\begin{enumerate}
\item voter encrypts ballot, casts ciphertext ballot
\item system publishes the ciphertext (CT) ballot on a public bulletin board
\item at the end of the election, tally the votes.
(1) shuffle and reencrypt CT ballots\\
CT ballots can't be matched to originals; trustees collectively decrypt CT ballots
(2) reencrypted CT ballots public, anyone can do tally
\end{enumerate}
\end{example}
The tricky part is reencryption.
\begin{definition}
Randomized encryption: One plaintext can go to many possible cipher texts
\end{definition}
\begin{definition}
Rencryption means that given ciphertext C, compute reenc(C) [randomized] such that
$$\text{decrypt(reenc(C)) = decrypt(C)}$$
Additionally, (C, reenc(C)) needs to be indistinguishable from (C, reenc(C')). Essentially, so you can't figure out which reencryption goes with which of the inputs.
\end{definition}
\subsektion{El Gamal encryption method}
\begin{itemize}
\item Public parameters g, p (like Diffie-Hellman)
\item Private key: x
\item Public key: $g^x \mod p$
\item to encrypt message m
\begin{itemize}
\item pick random value r
\item compute $(g^r \mod p,\ mg^{rx} \mod p)$
\item To decrypt with private key? Given (A, B) compute $A^{-x}B \mod p$
\end{itemize}
\end{itemize}
\subsektion{Reencryption in El Gamal}
\begin{itemize}
\item Given (A, B), generate random r'
\item Compute
\begin{align*}
(A*g^{r'} \mod p,\ B * g^{r'x} \mod p)
&= (g^r * g^{r'} \mod p,\ m g^{rx} g^{r'x} \mod p)\\
&= (g^{r+r'} \mod p,\ m g^{(r+r')x} \mod p)
\end{align*}
\item We see that $r+r'$ can decrypt the message! Also, these two CTs are indistinguishable!
\end{itemize}
\sidenote{
\textbf{How do we know shuffler didn't cheat?}\\
They start with a "ballot box" $B$ (sequence of encrypted ballots) and end with $B'$, which should be equivalent (reordering of reenc of $B$)\\
}
\textbf{Proof protocol}
\begin{itemize}
\item prover produces $B_1$
\item $B_1$ should be equivalent to $B$ and $B'$
\item prover (shuffler) knows the correspondence between $B$ and $B_1$, and also between $B_1$ and $B'$
Note: if $B$ is not equivalent to $B'$, then $B_1$ can't be equive to both
\item challenger flips coin, asks prover to show equivalence between $B$ and $B_1$, or $B'$ and $B_1$
\item prover ``unwraps'' the equivalence
``Look, we can get from $B'$ to $B$ by reenc with these random values then reordering like this''
BUT remember that you can't show the equivalence between all three because then the challenger would know a path from $B$ to $B'$ and you don't want that.
\end{itemize}
Play this proof game $k$ times. If the prover is lying ($B$ not equivalent to $B'$) he will get away with it with probability $2^{-k}$.
This whole complicated game is designed to convince us that B and B' are in fact equivalent without telling us what the exact mapping is between B and B'
\textbf{This seems like a problem} since there exists someone that know the correspondence between voters and ballots. BUT we can use multiple shuffling steps so that we only need one honest shuffler to maintain the secret ballot
\textit{Upshot: can know 1-1 correspondence between voters and published plaintext ballots, but not what the correspondence is}
\textbf{A lurking attack}
What if the voter remembers the random r used to encrypt their ballot? The voter can prove how they voted by revealing $r$.
$$\text{enc ballot} = (g^r \mod p, m g^{rx} \mod p)$$
Fix? Introduce a trusted voting machine that the voter cannot manipulate; it encrypts ballot and refuses to reveal $r$. But yet another problem: how do you know voting machine protects integrity and confidentiality of ballot?
\subsektion{In summary}
\begin{tabular}{|l|l|}
\hline
PAPER & ELECTRONIC\\
\hline
counting: slow, expensive & counting: fast, cheap\\
voter sees record directly & voter does not see record directly\\
main threat: tampering afterwards & main threat: tampering beforehand\\
\hline
\end{tabular}
\textbf{PAPER + ELECTRONIC RECORDS:} method of choice
Example: optical scan voting. Voter fills out paper ballot, feeds ballot not scanner, scanner records electronic record, paper ballot feeds into ballot box
HYBRID COUNT
\begin{itemize}
\item count electronic records
\item statistical audit for consistency of the paper records with the electronic records
\item for sample of ballots, compare by hand
\end{itemize}
% ELECTRONIC RECORDS:
% PAPER + ELECTRONIC RECORDS: <-- method of choice