This document summarizes a presentation on scaling privacy guarantees in code verification elections. It discusses previous work on internet voting that aimed to guarantee vote integrity and secrecy against a malicious personal computer. It then presents a new vote verification protocol that uses secret sharing across multiple identical voting servers to avoid infrastructure server collusions. Each server receives a share of the vote and provides its share to the voter for verification. The protocol is adapted to also work for code verification elections and visual vote representations.
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Code Verification Elections
1. Scaling Privacy Guarantees
in Code Verification Elections
Anthi Orfanou
Columbia University
July 18, 2013
Joint work with Aggelos Kiayias (University of Athens)
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 1 / 19
2. Internet voting / The untrusted platform problem
Voters: Cast votes
Personal Computers: Encode, encrypt and submit votes
Vote Collectors: Receive and store votes
Talliers: Process the votes and compute the result
The untrusted platform problem:
PC is vulnerable
malicious software attempts to modify the vote
Voter PC
Vote Collector Tallier
Internet
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 2 / 19
3. Previous work
Code Voting [SureVote: Chaum’01] [PGD: RT’09, HRT’10] ...
Vote secrecy & vote integrity against malicious PC
Code Verification Voting [HLV’10] [Gjøsteen’10,’11] [Lipmaa’11]
Simpler approach
Integrity against malicious PC (the PC sees the vote)
Uses receipts to guarantee correct vote submission
generation, distribution, reconstruction phases
Requires secondary platform that receives the receipts (e.g. mobile
phone)
Requires 2 attacker free channels
Pre/Post-channel: receipt distribution, receipt feedback
Postal service/SMS
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 3 / 19
4. Security Guarantees
Previous work [HLV’10] [Gjøsteen’10,’11]
Messenger server (MS): reconstructed the security code to be sent to
the voter
Cast as intended: Detection if the PC is malicious. Violated: PC &
MS coalitions
Vote Secrecy: Guaranteed against individuals only. Violated: VC &
MS coalitions
Our results
Question: How to avoid the latter infrastructure server collusion attack?
Without additional PC-side secrets (key management) [Lipmaa’11]
Maintaining human verifiability
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 4 / 19
5. A New Vote-Verification Protocol
Use a set of identical voting servers:
No distinction between vote collectors & messenger
Share the receipt among the servers:
No share leaks information
The receipt can be:
the vote itself
or a voter-dependent security code as before
or a visual representation of the vote (image)
Voter verification: combine the shares to reconstruct the receipt
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 5 / 19
6. A New Vote-Verification Protocol
Assumption: an average human can do additions mod 10, 100, . . .
Consider m candidates in Zm and n ≥ 2 voting servers
Pedersen commitments, ElGamal cryptosystem over g q ⊂ Zp, (q, p)
primes, Range proof in exponents [LAN’03]
The receipt is the actual vote
Let u = minλ 10λ s.t. m ≤ 10λ < q, System parameters (g, q, p, u)
Broadcast channel from PC to the voting servers
Untappable (post)channel from servers to the voter
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 6 / 19
7. A New Vote-Verification Protocol - n Servers
Voter V
Votes for x ∈ Zm
Server S1
Server Sn
SSS
Tallier
x
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 7 / 19
8. A New Vote-Verification Protocol - n Servers
Voter V
Votes for x ∈ Zm
Picks x1, . . . , xn ∈ Zu
x = x1 + · · · + xn mod u
Ci =Com(xi )
Et = Enctallier (x)
ZKP π
Server S1
Server Sn
SSS
Tallier
x
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 7 / 19
9. A New Vote-Verification Protocol - n Servers
Voter V
Votes for x ∈ Zm
Picks x1, . . . , xn ∈ Zu
x = x1 + · · · + xn mod u
Ci =Com(xi )
Et = Enctallier (x)
ZKP π
Server S1
Server Sn
C1, . . . , Cn
Et , π
SSS
Tallier
x
Open(C1)
Open(Cn)
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 7 / 19
10. A New Vote-Verification Protocol - n Servers
Voter V
Votes for x ∈ Zm
Picks x1, . . . , xn ∈ Zu
x = x1 + · · · + xn mod u
Ci =Com(xi )
Et = Enctallier (x)
ZKP π
Server S1
Open C1, π : x ∈ Zm
x = x1 + · · · + xn mod u
Server Sn
Open Cn, π : x ∈ Zm
x = x1 + · · · + xn mod u
C1, . . . , Cn
Et , π
SSS
Tallier
x
Open(C1)
Open(Cn)
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 7 / 19
11. A New Vote-Verification Protocol - n Servers
Voter V
Votes for x ∈ Zm
Picks x1, . . . , xn ∈ Zu
x = x1 + · · · + xn mod u
Ci =Com(xi )
Et = Enctallier (x)
ZKP π
Server S1
Open C1, π : x ∈ Zm
x = x1 + · · · + xn mod u
Server Sn
Open Cn, π : x ∈ Zm
x = x1 + · · · + xn mod u
C1, . . . , Cn
Et , π
SSS
Tallier
x
Open(C1)
Open(Cn)
xn
x1
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 7 / 19
12. A New Vote-Verification Protocol - n Servers
Voter V
Votes for x ∈ Zm
x
?
= x1 + · · · + xn mod u
Picks x1, . . . , xn ∈ Zu
x = x1 + · · · + xn mod u
Ci =Com(xi )
Et = Enctallier (x)
ZKP π
Server S1
Open C1, π : x ∈ Zm
x = x1 + · · · + xn mod u
Server Sn
Open Cn, π : x ∈ Zm
x = x1 + · · · + xn mod u
C1, . . . , Cn
Et , π
SSS
Tallier
x
Open(C1)
Open(Cn)
xn
x1
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 7 / 19
13. A New Vote-Verification Protocol - n Servers
Voter V
Votes for x ∈ Zm
x
?
= x1 + · · · + xn mod u
Picks x1, . . . , xn ∈ Zu
x = x1 + · · · + xn mod u
Ci =Com(xi )
Et = Enctallier (x)
ZKP π
Server S1
Open C1, π : x ∈ Zm
x = x1 + · · · + xn mod u
Server Sn
Open Cn, π : x ∈ Zm
x = x1 + · · · + xn mod u
C1, . . . , Cn
Et , π
SSS
Tallier
x
Open(C1)
Open(Cn)
xn
x1
Et
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 7 / 19
14. A New Vote-Verification Protocol
A 2-Server example
Vote 7 7 5 5
Server 1 2 9 2 9
Server 2 5 8 3 6
Sum mod 10 7 mod 10 17 mod 10 5 mod 10 15 mod 10
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 8 / 19
15. Security & Complexity
Cast as intended: A correct receipt guarantees a successfully
submitted original vote
Threshold vote secrecy: with an (n, n)-secret sharing scheme no
coalition of less than n servers can extract information about the vote
Complexity (online exponentiations):
PC: 4( log2(m − 1) + 1 + 11n, 1 signing
Server: 5( log2(m − 1) + 1 + 5n + 4, 1 signing, 1 signature verification
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 9 / 19
16. Adaptation to Code Verification protocol
Code generation:
Pick bV ,1 . . . bV ,n ∈ Zu
bV = n
i=1 bV ,i mod u
CodeV [x] = x + bV mod uVoter V
Votes for x ∈ Zm
x
?
= x1 + · · · + xn mod u
Picks x1, . . . , xn ∈ Zu
x = x1 + · · · + xn mod u
Ci =Com(xi )
Et = Enctallier (x)
ZKP π
Server S1
Open C1, π : x ∈ Zm
x = x1 + · · · + xn mod u
Server Sn
Open Cn, π : x ∈ Zm
x = x1 + · · · + xn mod u
C1, . . . , Cn
Et , π
SSS
Tallier
x
Open(C1)
Open(Cn)
xn
x1
Et
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 10 / 19
17. Adaptation to Code Verification protocol
Code generation:
Pick bV ,1 . . . bV ,n ∈ Zu
bV = n
i=1 bV ,i mod u
CodeV [x] = x + bV mod uVoter V
Votes for x ∈ Zm
C = CodeV [x]
x
?
= x1 + · · · + xn mod u
Picks x1, . . . , xn ∈ Zu
x = x1 + · · · + xn mod u
Ci =Com(xi )
Et = Enctallier (x)
ZKP π
Server S1
bV ,1 ∈ Zu
Open C1, π : x ∈ Zm
x = x1 + · · · + xn mod u
Server Sn
bV ,n ∈ Zu
Open Cn, π : x ∈ Zm
x = x1 + · · · + xn mod u
C1, . . . , Cn
Et , π
SSS
Tallier
x
Open(C1)
Open(Cn)
xn
x1
Et
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 10 / 19
18. Adaptation to Code Verification protocol
Code generation:
Pick bV ,1 . . . bV ,n ∈ Zu
bV = n
i=1 bV ,i mod u
CodeV [x] = x + bV mod uVoter V
Votes for x ∈ Zm
C = CodeV [x]
x
?
= x1 + · · · + xn mod u
Picks x1, . . . , xn ∈ Zu
x = x1 + · · · + xn mod u
Ci =Com(xi )
Et = Enctallier (x)
ZKP π
Server S1
bV ,1 ∈ Zu
Open C1, π : x ∈ Zm
x = x1 + · · · + xn mod u
a1 = x1 + bV ,1 mod u
Server Sn
bV ,n ∈ Zu
Open Cn, π : x ∈ Zm
x = x1 + · · · + xn mod u
an = xn + bV ,n mod u
C1, . . . , Cn
Et , π
SSS
Tallier
x
Open(C1)
Open(Cn)
an
a1
Et
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 10 / 19
19. Adaptation to Code Verification protocol
Code generation:
Pick bV ,1 . . . bV ,n ∈ Zu
bV = n
i=1 bV ,i mod u
CodeV [x] = x + bV mod uVoter V
Votes for x ∈ Zm
C = CodeV [x]
C
?
= a1 + · · · + an mod u
Picks x1, . . . , xn ∈ Zu
x = x1 + · · · + xn mod u
Ci =Com(xi )
Et = Enctallier (x)
ZKP π
Server S1
bV ,1 ∈ Zu
Open C1, π : x ∈ Zm
x = x1 + · · · + xn mod u
a1 = x1 + bV ,1 mod u
Server Sn
bV ,n ∈ Zu
Open Cn, π : x ∈ Zm
x = x1 + · · · + xn mod u
an = xn + bV ,n mod u
C1, . . . , Cn
Et , π
SSS
Tallier
x
Open(C1)
Open(Cn)
an
a1
Et
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 10 / 19
20. Adaptation to Visual Vote verification protocol
Visual vote representation
Previous work: Visual Cryptography [NS’94]: secret sharing of an image
supervised (booth) voting [Chaum’04]
Our approach: Associate a message x ∈ Zm with a simple image, with a provable
relation
Visual sharing of shape descriptions (VSSD)
Consider two shapes that can be visually interpreted by a human:
A “full” circle
A “half” circle
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 11 / 19
21. Visual sharing of shape descriptions (VSSD)
What shape does the overlaying of two half circles create?
+ = full circle
+ = full circle
+ = half circle
+ = half circle
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 12 / 19
22. n-VSSD definition
In general n share-holders (servers)
M a set of m ≥ 2 messages (candidates)
Dx the set of visual descriptions for message x ∈ M, |Dx | ≥ 1
Λ the visual alphabet, commutative semigroup with operation ∨
P : M → Λn randomized splitting function
Properties:
Solvability: ∀x ∈ M ∀ v1, . . . , vn ∈ P(x): ∨n
i=1vi ∈ Dx
(t, n)-Resilience: Consider n-tuple w = (a ∪ {#})n
s.t.
w has (at most) t < n known shares a ∈ Λ
n − t unknown shares # ∈ Λ
then ∃ 0 < c < 1 s.t. Probv←P(x)[w ∈ v] = c
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 13 / 19
24. Our approach: A 2-VSSD
Simple 2-VSSD: n=2 servers, m = 2 messages
2 messages: M∗
= {0, 1}
Λ∗
= { , }, ∨: visual overlaying (logical bitwise OR)
0 ↔: full circle
D∗
0 = { }, P∗
(0) = { , , , }
1 ↔ half circle
D∗
1 = { , }, P∗
(1) = { , , , }
General 2-VSSD: n=2 servers, m ≥ 2 messages
M = Zm, k = # of bits of m − 1
Λ = Λ∗k
P(x): Splits each bit bi of x in Λ∗
Dx : A description of x is a concatenation of its bits’ visual descriptions in D∗
x
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 14 / 19
25. An example
Message Shape Dx P(x)
00 Two full circles ( , ) ( , )
( , ) ( , )
01 Full circle fol-
lowed by half
circle
( , ) ( , )
( , ) ( , )
10 Half circle fol-
lowed by full cir-
cle
( , ) ( , )
( , ) ( , )
11 Two half circles , ( , ) ( , )
, ( , ) ( , )
(1, 2)-Resilience: Prob[( , #) ∈ P(0)] = Prob[( , #) ∈ P(1)] =
Prob[( , #) ∈ P(2)] = Prob[( , #) ∈ P(3)] = 1/4
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 15 / 19
26. A Visual Vote-Verification Protocol - 2 VSSD
Voter V
Votes for 1 ∈ Zm
D1 = “full followed by half”
Server S1
Server S2
Tallier
1
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 16 / 19
27. A Visual Vote-Verification Protocol - 2 VSSD
Voter V
Votes for 1 ∈ Zm
D1 = “full followed by half”
VSSD: v1, v2 ← P(1)
v = (v1 ∨ v2) ∈ D1
Commitments to v, v1, v2
Et = Enctallier (1)
ZKP π
Server S1
Server S2
Tallier
1
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 16 / 19
28. A Visual Vote-Verification Protocol - 2 VSSD
Voter V
Votes for 1 ∈ Zm
D1 = “full followed by half”
VSSD: v1, v2 ← P(1)
v = (v1 ∨ v2) ∈ D1
Commitments to v, v1, v2
Et = Enctallier (1)
ZKP π
Server S1
Server S2
Commitments
Et , π
Tallier
1
{Open(Com)}v1
{Open(Com)}v2
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 16 / 19
29. A Visual Vote-Verification Protocol - 2 VSSD
Voter V
Votes for 1 ∈ Zm
D1 = “full followed by half”
VSSD: v1, v2 ← P(1)
v = (v1 ∨ v2) ∈ D1
Commitments to v, v1, v2
Et = Enctallier (1)
ZKP π
Server S1
π : VSSD(v1) ↔ Et
Server S2
π : VSSD(v2) ↔ Et
Commitments
Et , π
Tallier
1
{Open(Com)}v1
{Open(Com)}v2
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 16 / 19
30. A Visual Vote-Verification Protocol - 2 VSSD
Voter V
Votes for 1 ∈ Zm
D1 = “full followed by half”
VSSD: v1, v2 ← P(1)
v = (v1 ∨ v2) ∈ D1
Commitments to v, v1, v2
Et = Enctallier (1)
ZKP π
Server S1
π : VSSD(v1) ↔ Et
Server S2
π : VSSD(v2) ↔ Et
Commitments
Et , π
Tallier
1
{Open(Com)}v1
{Open(Com)}v2
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 16 / 19
31. A Visual Vote-Verification Protocol - 2 VSSD
Voter V
Votes for 1 ∈ Zm
D1 = “full followed by half”
( , ) ∨ ( , )
?
∈ D1
VSSD: v1, v2 ← P(1)
v = (v1 ∨ v2) ∈ D1
Commitments to v, v1, v2
Et = Enctallier (1)
ZKP π
Server S1
π : VSSD(v1) ↔ Et
Server S2
π : VSSD(v2) ↔ Et
Commitments
Et , π
Tallier
1
{Open(Com)}v1
{Open(Com)}v2
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 16 / 19
32. A Visual Vote-Verification Protocol - 2 VSSD
Voter V
Votes for 1 ∈ Zm
D1 = “full followed by half”
Yes: ( , ) ∈D1
VSSD: v1, v2 ← P(1)
v = (v1 ∨ v2) ∈ D1
Commitments to v, v1, v2
Et = Enctallier (1)
ZKP π
Server S1
π : VSSD(v1) ↔ Et
Server S2
π : VSSD(v2) ↔ Et
Commitments
Et , π
Tallier
1
{Open(Com)}v1
{Open(Com)}v2
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 16 / 19
33. A Visual Vote-Verification Protocol - 2 VSSD
Voter V
Votes for 1 ∈ Zm
D1 = “full followed by half”
Yes: ( , ) ∈D1
VSSD: v1, v2 ← P(1)
v = (v1 ∨ v2) ∈ D1
Commitments to v, v1, v2
Et = Enctallier (1)
ZKP π
Server S1
π : VSSD(v1) ↔ Et
Server S2
π : VSSD(v2) ↔ Et
Commitments
Et , π
Tallier
1
{Open(Com)}v1
{Open(Com)}v2
Et
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 16 / 19
34. Future work
General (t, n)-VSSD?
Perhaps using Colored Visual Secret Sharing [VT’97]?
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 17 / 19
35. The end
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 18 / 19
36. References
David Chaum. Surevote. International patent WO 01/55940 A1, 2001.
David Chaum. Secret-ballot receipts: True voter-verifiable elections. IEEE Security & Privacy, 2(1):38-47, 2004.
Kristian Gjøsteen. The norwegian internet voting protocol. In VOTE-ID, pages 1-18, 2011.
Kristian Gjøsteen. Analysis of an internet voting protocol. IACR Cryptology ePrint Archive, 2010:380, 2010.
James Heather, Peter Y. A. Ryan, and Vanessa Teague. Pretty good democracy for more expressive voting schemes. In
Proceedings of the 15th European conference on Research in computer security, ESORICS10, pages 405-423, Berlin,
Heidelberg, 2010. Springer-Verlag.
Sven Heiberg, Helger Lipmaa, and Filip van Laenen. On e-vote integrity in the case of malicious voter computers. In
ESORICS, pages 373-388, 2010.
Helger Lipmaa. Two simple code-verification voting protocols. IACR Cryptology ePrint Archive, 2011:317, 2011.
Helger Lipmaa, N. Asokan, and Valtteri Niemi. Secure Vickrey auctions without threshold trust. In Proceedings of the
6th international conference on Financial cryptography, FC02, pages 87-101, Berlin, Heidelberg, 2003. Springer-Verlag.
Moni Naor and Adi Shamir. Visual cryptography. In EUROCRYPT, pages 1-12, 1994.
Peter Y. A. Ryan and Vanessa Teague. Pretty good democracy. In Security Protocols Workshop, pages 111-130, 2009.
Eric R. Verheul and Henk C. A. Van Tilborg. Constructions and properties of k out of n visual secret sharing schemes.
Des. Codes Cryptography, 11(2):179-196, May 1997.
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 19 / 19