<%BANNER%>

Cryptographic Protocols

Permanent Link: http://ufdc.ufl.edu/UFE0041188/00001

Material Information

Title: Cryptographic Protocols Revocable Anonymity and E-Voting
Physical Description: 1 online resource (126 p.)
Language: english
Creator: Arslan, Bekir
Publisher: University of Florida
Place of Publication: Gainesville, Fla.
Publication Date: 2009

Subjects

Subjects / Keywords: anonymity, auditing, coercionresistance, controlled, electronicvoting, evoting, mercuri, mixnet, paillier, paperreceipts, pseudonymity, pseudonyms, receiptfreeness, revocation, vvpr, writein, zeroknowledgeproofs
Computer and Information Science and Engineering -- Dissertations, Academic -- UF
Genre: Computer Engineering thesis, Ph.D.
bibliography   ( marcgt )
theses   ( marcgt )
government publication (state, provincial, terriorial, dependent)   ( marcgt )
born-digital   ( sobekcm )
Electronic Thesis or Dissertation

Notes

Abstract: Our study lies in two areas of cryptographic protocols. The first area is anonymity, where we outline a protocol for anonymous communications supporting revocability and pseudonyms, making it possible to have anonymous yet stateful communications but also preventing malicious uses by having a possible (under certain conditions) revocation system. This is accomplished by registering a pseudonym-key pair using fair blind signatures, without revealing the pseudonym to the registering entity, but keeping sufficient information so that the pseudonym can later be revoked. This protocol has several potential uses, where not only anonymity is required, but a sense of reputation is also desired, and the possibility of revocation is either needed as a safeguard or part of the application itself. The second area is electronic voting, where we first establish some hybrid voting protocol and analyze the security and usefulness of similar protocols. The novel aspect of this protocol is that is uses both paper and electronic ballots, and it supports auditing of the electronic ballots using a sample of the paper-ballots. This has the benefit of not requiring a full recount yet still having another level of security for the electronic ballots. This feature is developed having the voting device print the re-encrypted vote on the paper-ballots, which then can be used to check the correctness of the original encryption, without reducing the privacy of the voters. Lastly, we design an electronic voting protocol supporting write-in ballots, which can also be used in other voting systems that traditionally could not support write-in protocols. It satisfies both uncoercibility and verifiability, among other key requirements, and does not require any computational power from the voter, which makes it the first such protocol.
General Note: In the series University of Florida Digital Collections.
General Note: Includes vita.
Bibliography: Includes bibliographical references.
Source of Description: Description based on online resource; title from PDF title page.
Source of Description: This bibliographic record is available under the Creative Commons CC0 public domain dedication. The University of Florida Libraries, as creator of this bibliographic record, has waived all rights to it worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.
Statement of Responsibility: by Bekir Arslan.
Thesis: Thesis (Ph.D.)--University of Florida, 2009.
Local: Adviser: Newman, Richard E.
Electronic Access: RESTRICTED TO UF STUDENTS, STAFF, FACULTY, AND ON-CAMPUS USE UNTIL 2010-06-30

Record Information

Source Institution: UFRGP
Rights Management: Applicable rights reserved.
Classification: lcc - LD1780 2009
System ID: UFE0041188:00001

Permanent Link: http://ufdc.ufl.edu/UFE0041188/00001

Material Information

Title: Cryptographic Protocols Revocable Anonymity and E-Voting
Physical Description: 1 online resource (126 p.)
Language: english
Creator: Arslan, Bekir
Publisher: University of Florida
Place of Publication: Gainesville, Fla.
Publication Date: 2009

Subjects

Subjects / Keywords: anonymity, auditing, coercionresistance, controlled, electronicvoting, evoting, mercuri, mixnet, paillier, paperreceipts, pseudonymity, pseudonyms, receiptfreeness, revocation, vvpr, writein, zeroknowledgeproofs
Computer and Information Science and Engineering -- Dissertations, Academic -- UF
Genre: Computer Engineering thesis, Ph.D.
bibliography   ( marcgt )
theses   ( marcgt )
government publication (state, provincial, terriorial, dependent)   ( marcgt )
born-digital   ( sobekcm )
Electronic Thesis or Dissertation

Notes

Abstract: Our study lies in two areas of cryptographic protocols. The first area is anonymity, where we outline a protocol for anonymous communications supporting revocability and pseudonyms, making it possible to have anonymous yet stateful communications but also preventing malicious uses by having a possible (under certain conditions) revocation system. This is accomplished by registering a pseudonym-key pair using fair blind signatures, without revealing the pseudonym to the registering entity, but keeping sufficient information so that the pseudonym can later be revoked. This protocol has several potential uses, where not only anonymity is required, but a sense of reputation is also desired, and the possibility of revocation is either needed as a safeguard or part of the application itself. The second area is electronic voting, where we first establish some hybrid voting protocol and analyze the security and usefulness of similar protocols. The novel aspect of this protocol is that is uses both paper and electronic ballots, and it supports auditing of the electronic ballots using a sample of the paper-ballots. This has the benefit of not requiring a full recount yet still having another level of security for the electronic ballots. This feature is developed having the voting device print the re-encrypted vote on the paper-ballots, which then can be used to check the correctness of the original encryption, without reducing the privacy of the voters. Lastly, we design an electronic voting protocol supporting write-in ballots, which can also be used in other voting systems that traditionally could not support write-in protocols. It satisfies both uncoercibility and verifiability, among other key requirements, and does not require any computational power from the voter, which makes it the first such protocol.
General Note: In the series University of Florida Digital Collections.
General Note: Includes vita.
Bibliography: Includes bibliographical references.
Source of Description: Description based on online resource; title from PDF title page.
Source of Description: This bibliographic record is available under the Creative Commons CC0 public domain dedication. The University of Florida Libraries, as creator of this bibliographic record, has waived all rights to it worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.
Statement of Responsibility: by Bekir Arslan.
Thesis: Thesis (Ph.D.)--University of Florida, 2009.
Local: Adviser: Newman, Richard E.
Electronic Access: RESTRICTED TO UF STUDENTS, STAFF, FACULTY, AND ON-CAMPUS USE UNTIL 2010-06-30

Record Information

Source Institution: UFRGP
Rights Management: Applicable rights reserved.
Classification: lcc - LD1780 2009
System ID: UFE0041188:00001


This item has the following downloads:


Full Text

PAGE 1

CRYPTOGRAPHICPROTOCOLS:REVOCABLEANONYMITYANDE-VOTINGByBEK_IRARSLANADISSERTATIONPRESENTEDTOTHEGRADUATESCHOOLOFTHEUNIVERSITYOFFLORIDAINPARTIALFULFILLMENTOFTHEREQUIREMENTSFORTHEDEGREEOFDOCTOROFPHILOSOPHYUNIVERSITYOFFLORIDA2009 1

PAGE 2

c2009BekirArslan 2

PAGE 3

ACKNOWLEDGMENTS IwouldliketoexpressmyappreciationforallthehelpIreceivedfrommyadvisorDr.RichardNewman.Hisdeterminedsupport,theenlighteningdiscussionswehad,hisobservations,correctionsandcommentswereallintegraltomywork.Iwishtothankthemembersofmycommittee,especiallyDr.MeeraSitharam,fortheirhelpwithwritingthisdissertation.Myfamily'spersistentsupportwasanotherkeyingredient,aswellasthediscussionswithmybrother,Dr.GunerArslan.AheartfeltthankyougoestohimandtomysisterGulay,mymotherSelimeandmyfatherCemal.Finally,thepeoplewhowerealwaysthereforme,myfriends.AhmetNalcacoglu,VolkanKurtas,UmutSargut,OguzhanTopsakal,MehmetYesildag,CemBoyac,MeteTakl,HakanDogan,UmudDevrimYalcn,FratCeliklerandmanymorethatIcannotlisthere.Iamprofoundlygratefulforyourhelpandsupport,Icouldnothavedonethiswithoutyou.Thankyouall. 3

PAGE 4

TABLEOFCONTENTS page ACKNOWLEDGMENTS ................................. 3 LISTOFTABLES ..................................... 8 LISTOFFIGURES .................................... 9 LISTOFABBREVIATIONSANDSYMBOLS ..................... 10 ABSTRACT ........................................ 11 CHAPTER 1INTRODUCTION .................................. 13 2CRYPTOGRAPHICBUILDINGBUILDINGBLOCKSUSEDINOURPROTOCOLS ..................................... 17 2.1CryptographicHashFunctions ......................... 17 2.2SymmetricEncryption ............................. 18 2.3PublicKeyCryptography ........................... 19 2.3.1RSA ................................... 20 2.3.2Paillier .................................. 20 2.3.2.1ProofofcorrectdecryptionofthePaillierthresholdsystem 21 2.3.2.2ThresholdversionofPailliercryptosystem ......... 22 2.3.3EllipticCurveCryptography ...................... 22 2.4BlindSignatures ................................ 23 2.5Mix-nets ..................................... 23 2.6SecretSharingProtocols ............................ 24 2.7ProofsofKnowledge(Zero-KnowledgeProofs) ................ 25 2.7.1ProofofMembershipofaGivenSet .................. 25 2.7.2ProofofKnowledgeforaRandomShue ............... 26 2.8TheCut-and-ChooseMethod ......................... 26 2.9MasterKeyGeneration ............................. 27 2.10SummaryofBuildingBlocks .......................... 27 3REVOCABLEANONYMITY ............................ 29 3.1IntroductiontoRevocableAnonymity ..................... 29 3.2ProblemDenition ............................... 30 3.3PreviousWork ................................. 30 3.3.1APES:ControlledAnonymousConnections .............. 33 3.3.1.1Basicsolution ......................... 33 3.3.1.2Distributedsolutions ..................... 33 3.3.2PseudonymousCommunicationsInfrastructure ............ 34 3.3.3AnonymousPublication ......................... 35 4

PAGE 5

3.4OurContribution:RevocablePseudonymityProtocol ............ 35 3.4.1Participants ............................... 36 3.4.2Parameters ................................ 36 3.4.3ProtocolSpecication .......................... 37 3.4.3.1Registration .......................... 37 3.4.3.2Sendingmessagesandrevocation .............. 37 3.4.4TheMathInDetail ........................... 38 3.4.5SecurityAnalysis ............................ 38 3.4.6Improvement:AccessControl ..................... 41 3.4.6.1Singletiered .......................... 41 3.4.6.2Multitiered .......................... 41 3.4.6.3Problemwithnewgroups .................. 42 3.4.7Applications ............................... 42 3.4.8Conclusion ................................ 43 4ELECTRONICVOTING .............................. 45 4.1IntroductiontoElectronicVoting ....................... 45 4.2SystemDesignPerspective ........................... 46 4.3VotingSystemRequirements .......................... 47 4.4PreviousWork ................................. 48 4.4.1BlindSignatureBasedProtocols .................... 49 4.4.2Sensus .................................. 50 4.4.3Mix-netBasedProtocols ........................ 51 4.4.4Pr^etaVoter ............................... 52 4.4.5HomomorphicEncryptionBasedProtocols .............. 53 4.4.6TheVector-ballotE-votingApproach ................. 54 4.4.7MercuriMethod ............................. 56 4.4.8MajorIssuesWithSystemsBasedontheMercuriMethod ..... 57 4.4.9OtherProtocols ............................. 59 4.4.9.1Threeballot .......................... 59 4.4.9.2Punchscan ........................... 60 4.4.10PossibleReasonsforNotAdoptingAdvancedCryptographicSchemes 60 4.5OurContribution:Homomorphic-MercuriHybridVotingSystem ...... 61 4.5.1ProtocolSpecication .......................... 62 4.5.1.1Participants .......................... 62 4.5.1.2Voting ............................. 63 4.5.1.3Samplevotingwalk-through ................. 65 4.5.1.4Detailsofthecommitmentsandencryptions ........ 66 4.5.1.5Proofofequalityofproductofsubmittedvotesandproductofrandomizedvotes ................. 67 4.5.1.6Tallying ............................ 67 4.5.1.7Proofofcorrectnessofthedecryptions ........... 67 4.5.1.8Auditing ............................ 68 4.5.1.9Auditmechanismdetails ................... 69 5

PAGE 6

4.5.1.10Securityimprovement .................... 71 4.5.1.11Usingvotingdevicesandpaperballotprintersfromtwodierentsuppliers ....................... 71 4.5.2Comparison ............................... 71 4.5.2.1ComparisonwithPr^etaVoter ................ 71 4.5.2.2ComparisonwiththeMercurimethod ........... 72 4.6SecurityAnalysisMethodologies ........................ 72 4.7AnalysisofOurVotingSystem ........................ 76 4.7.1Requirements .............................. 76 4.7.1.1Primaryrequirements .................... 76 4.7.1.2Secondaryrequirements ................... 77 4.7.1.3Listofrequirements ..................... 77 4.7.2AssumptionsandTrust ......................... 78 4.7.2.1TheDREandthevotingbooth ............... 78 4.7.2.2ElectionauthoritiesandDREsuppliers ........... 79 4.7.2.3Bulletinboard ........................ 79 4.7.2.4Voters ............................. 80 4.7.2.5Summarylistofassumptions ................ 80 4.7.3AttackerBasedAnalysis ........................ 81 4.7.3.1Attacksbythevoter ..................... 81 4.7.3.2AttacksbytheDRE ..................... 82 4.7.3.3Attacksbytheauthority ................... 82 4.7.3.4Attacksbythecoercer .................... 83 4.7.4Collusions ................................ 83 4.7.4.1Voterandcoercer ....................... 84 4.7.4.2DREandauthorities ..................... 84 4.7.4.3DREandcoercer ....................... 84 4.7.4.4Authoritiesandcoercer ................... 85 4.7.4.5DRE,authoritiesandcoercer ................ 85 4.7.5Recovery ................................. 85 4.8Conclusion .................................... 86 5WRITE-INBALLOTS ................................ 88 5.1IntroductiontoWrite-inBallotSupport ................... 88 5.2PreviousWork ................................. 89 5.2.1Vector-BallotApproachbyKiaiyasandYung ............. 90 5.2.2Pret-a-Voter ............................... 90 5.2.2.1Introduction .......................... 91 5.2.2.2Overview ........................... 91 5.2.2.3Set-up ............................. 92 5.2.2.4Ballotconstruction ...................... 93 5.2.2.5Tallying ............................ 94 5.2.2.6Securitychecks ........................ 94 5.2.2.7Checkingtheteller ...................... 95 6

PAGE 7

5.3OurContribution:SupportingWrite-inBallots ................ 95 5.3.1Setup ................................... 96 5.3.2Participants ............................... 96 5.3.3ProtocolOverview ............................ 97 5.3.4VectorBallots .............................. 99 5.3.5Pre-ListedCandidates ......................... 100 5.4Write-inBallotDetails ............................. 100 5.4.1BallotConstruction ........................... 101 5.4.2OpeningBallots ............................. 102 5.4.3Auditing ................................. 102 5.4.4ProofsofKnowledge .......................... 102 5.4.4.1Proofofknowledgeforthemixingphase .......... 103 5.4.4.2Probabilityofacheatingmixerbeingcaught ........ 104 5.5SampleProtocol ................................. 104 5.5.1Voting .................................. 104 5.5.2Tallying ................................. 105 5.6ProtocolAnalysis ................................ 106 5.6.1Receipt-Freeness ............................ 106 5.6.2Votecastasintended .......................... 106 5.6.3Authority-VotingDeviceCollusion ................... 107 5.6.4Coercer-VotingDeviceCollusion .................... 107 5.6.5DenialofServiceAttacks ........................ 107 5.6.6Electionprocedurestoimprovesecurity ................ 108 5.7Conclusion .................................... 108 6CONCLUSION .................................... 110 6.1RevocableAnonymity ............................. 110 6.2HybridMercuri-HomeomorphicEncryptionProtocolWithAuditSupport 111 6.3Write-inBallotSupport ............................ 111 REFERENCES ....................................... 113 BIOGRAPHICALSKETCH ................................ 126 7

PAGE 8

LISTOFTABLES Table page 3-1Revocablepseudonymityprotocolparameters ................... 37 4-1Sampleballot ..................................... 65 4-2Samplereceipt .................................... 66 8

PAGE 9

LISTOFFIGURES Figure page 4-1Participantsofthevotingprotocol ......................... 63 4-2Candidateselectionscreen .............................. 64 5-1Samplewrite-inballot ................................ 97 9

PAGE 10

LISTOFABBREVIATIONSANDSYMBOLS jjstringconcatenation XOR,trueonlyifexactlyoneoftheoperandsistrueZn ThemultiplicativegroupofintegersmodulonAES AdvancedEncryptionStandardAIPI AnonymousIPInfrastructureDES DataEncryptionStandardDRE DirectRecordingElectronic[VotingMachine]DoS DenialofServiceeVACS ElectronicVotingandCountingSystemIP InternetProtocolP2P PeertopeerNIST TheNationalInstituteofStandardsandTechnologyNSA NationalSecurityAgencyTor TheOnionRouterURL UniformResourceLocatorVVPR VoterVeriablePaperReceipt 10

PAGE 11

AbstractofDissertationPresentedtotheGraduateSchooloftheUniversityofFloridainPartialFulllmentoftheRequirementsfortheDegreeofDoctorofPhilosophyCRYPTOGRAPHICPROTOCOLS:REVOCABLEANONYMITYANDE-VOTINGByBekirArslanDecember2009Chair:Dr.RichardNewmanMajor:ComputerEngineering Ourstudyliesintwoareasofcryptographicprotocols.Therstareaisanonymity,whereweoutlineaprotocolforanonymouscommunicationssupportingrevocabilityandpseudonyms,makingitpossibletohaveanonymousyetstatefulcommunicationsbutalsopreventingmalicioususesbyhavingapossible(undercertainconditions)revocationsystem.Thisisaccomplishedbyregisteringapseudonym-keypairusingfairblindsignatures,withoutrevealingthepseudonymtotheregisteringentity,butkeepingsucientinformationsothatthepseudonymcanlaterberevoked.Thisprotocolhasseveralpotentialuses,wherenotonlyanonymityisrequired,butasenseofreputationisalsodesired,andthepossibilityofrevocationiseitherneededasasafeguardorpartoftheapplicationitself. Thesecondareaiselectronicvoting,wherewerstestablishsomehybridvotingprotocolandanalyzethesecurityandusefulnessofsimilarprotocols.Thenovelaspectofthisprotocolisthatisusesbothpaperandelectronicballots,anditsupportsauditingoftheelectronicballotsusingasampleofthepaper-ballots.Thishasthebenetofnotrequiringafullrecountyetstillhavinganotherlevelofsecurityfortheelectronicballots.Thisfeatureisdevelopedhavingthevotingdeviceprintthere-encryptedvoteonthepaper-ballots,whichthencanbeusedtocheckthecorrectnessoftheoriginalencryption,withoutreducingtheprivacyofthevoters. 11

PAGE 12

Lastly,wedesignanelectronicvotingprotocolsupportingwrite-inballots,whichcanalsobeusedinothervotingsystemsthattraditionallycouldnotsupportwrite-inprotocols.Itsatisesbothuncoercibilityandveriability,amongotherkeyrequirements,anddoesnotrequireanycomputationalpowerfromthevoter,whichmakesittherstsuchprotocol. 12

PAGE 13

CHAPTER1INTRODUCTION Cryptographyisthescienceofanalyzingciphersandusingthesecipherstosolvereallifeproblems.Encryptionanddecryptionarethetwoobviouspartsofthisscience,howeverthereismuchmoretocryptography.Cryptographicprotocolsareprotocolsthattakethebasictoolsofcryptography-likeencryption/decryptionordigitalsignatures-andapplythemtovariouspracticalyetcomplicatedproblems.Therearemanyapplications,fromsecureonlinepayments,tosecuremultipartycomputation,fromelectroniccashtosecurekeyexchangesthatcanbesolvedusingcryptography. Historically,cryptographywasallaboutensuringdatacondentialitybyusingciphersandtoamuchlesserextendhidingdataitself-whichbecameknownassteganography.ItisreportedthatJuliusCaesarusedasimpleformofasubstitutioncipher(theCaesarcipher),andtheuseofcipherscontinuedthroughoutthesecondworldwar,whenthestudyofcryptographyandespeciallycryptanalysisaccelerated.However,whatcanbecalledthestartofmoderncryptographydatesbacktotheFeistelstructureusedinIBM'sLucifercipheranditsopenstandardheir,DES(dataencryptionstandard),widelyusedinmoderncomputers[ 1 ].Theuseofcryptographicprotocolsi.e.,sophisticatedcryptographicsystems,ontheotherhand,didnotcomeintofocusuntilRSAwasrstintroduced,openingthewaytomanymorecryptographicprimitivestobeused. Ourstudieshavetwoparts.Therstparttacklesaproblemrelatedtoanonymity.Ouraimistodesignamessageboard-likeapplicationthatrequiresauthentication,yetsupportsanonymityunderapseudonymwhensendingmessages.Furthermoreitsupportsconditional(anonymity)revocation,i.e.,theadministratorsoftheprotocolareabletorevoketheidentityofauser,ifatleastkoutofnofthemagree,wherekandnareconstantschosenatsetup. Thekeydicultyofthisproblemistheuseofbothanonymitywithpseudonymsandrevocation,seeminglycontradictoryconcepts(andtechnicallytheyarecontradictory,but 13

PAGE 14

withanonymityinthiscontextwedonotmeanfullanonymity,ratherwemeancontrolledanonymity,i.e.,anonymitythatcanberevokedonlybytheauthorities).Thedicultyofthisproblemistokeepusersanonymous(inacontrolledway),yetgivingthemsecretpseudonymsthatcanbeusedtobuildareputation.Thereareprotocolsthatsupportrevocableanonymity(forexamplee-cashprotocols)andtherearealsoprotocolsthatsupportpseudonymity(somegeneralanonymousinfrastructuresbuiltfortheInternetsupportpseudonyms),howevertherewasnoprotocolthatsupportedbothatthesametimebefore. Ourcontributionistheconstructionofsuchaprotocol:supportingbothrevocationandanonymitywithpseudonyms,inshortrevocablepseudonymity.Italsoincludesathresholdschemethatrequiressignicantcooperationamongtheauthoritiestoachieverevocation,sodoesnotgiveexcessivepowertoasingleentity.Webelievethatthisprotocolhasmanypracticalapplications,fromusingitjustasasophisticatedmessageboard,tomorespecicapplicationslikewiki's,peerreview,andcollaborationsystems. Thesecondpartisrelatedtoelectronicvoting.Inthisarea,themainissueistheabilitytoreceiveareceiptdemonstratingthatthevoteiscorrectlycounted-withoutexplicitlygivingaproofofvotethatmightbeusedforvotebuyingorcoercion.Therstproblemweconsiderisrelatedtotheso-calledMercurimethod[ 2 ]andanothertypeofelectronicvotingsystemconstructionpopularamongresearchers.TheMercurimethodproposestouseprintedpaperballotsinadditiontoelectronicballots,inordertoincreasesecurityandveriabilitywithouttheneedforcryptography.Theothervotingsystemconstructionwementionedsolvesmanyproblemsrelatedtosecurityusingcryptographyinanecientmanner.However,sinceusingtheMercurimethodalonewouldbeignoringalltheresearchandcontributionsmadeinthelasttwentyyears,ouraimwastousethecorpusofpreviousresearchtofurtheradvancethesecurityoftheMercurimethod. PreviousworkrelatingtheMercurimethodtousecryptographictoolsisalmostnon-existent.ThemainreasonisthefactthattheMercurimethodsolvesmanyofthe 14

PAGE 15

problemseasily,howeverwiththepriceofstillhavingpaper-ballots.Theotherpossiblereasonisthatthismethodcameintopopularuseonlyrecently. OurcontributionisdevelopmentofaprotocolcombiningtheMercurimethodwithapopulartypeof(homomorphicencryptionbased)cryptographicelectronicvotingsystem,whichleadstoavotingprotocolthatismoresecurethaneitherandsupportsveriabilityandreceipt-freeness.Apartfromcombiningthesetwoprotocols,ourkeycontributioninthispartisournovelandgenericauditsystem,makingthepaper-ballotsnotonlyworkasbackupvotes,butalsoasawaytosampleandaudittheelectronicvoteswithoutconductingafullrecount.Thisallowsapplicationofstandardstatisticalmethodstoprovideassuranceofcorrectvotetallies,andtoinformvotingocialswhenfullrecountsmaybeneeded. Afterwardsweevaluatethesecurityofsuchvotingprotocolsandanalyzewhatsuchacombinationaccomplishesandifitisworththeoverheadorredundancythatitbrings.Afurthernoveltyisouruseofamultilayersecurityanalysis,whichnotonlyconsiderspotentialattacksandhowthesystemdefendsagainstit,butwhichconsidersallthepotentialrequirementsthatmightbeattackedbyanyofthepotentialattackersandpointstoanyassumptionsthatareneededtomakeforthesystemtobeconsideredsecure. Athirdproblemweaddressissupportingwrite-inballotsinthesametypeofvotingprotocolsmentionedbefore.Thisisdiscouragingforelectronicvotingsupporters,especiallysincetheregularpaperbasedelectionssupporteditrathereasily.Also,beingabletovoteforwrite-incandidatesiscurrentlyrequiredinmanyelections-primarilyintheUnitedStates-sohavingwrite-inballotsupportisalsoconsideredanimportantenhancementbyresearchersdesigningpracticalvotingprotocols. Thedicultyofthisproblemisthattwoveryimportantrequirementsofvotingprotocols{uncoercibilityandveriability{whichalwaysseemtobecontradictingeachother,dosoevenmorewhenwrite-inballotsareconcerned.Whilemostprotocolssupportingwrite-inballotsfailtosatisfyoneoftheserequirements,therefewthatgot 15

PAGE 16

aroundthisproblemarenotevenclosetobeingpractical.Also,theonlyhomomorphicencryptionbasedprotocols{whichisconsideredtobethemostecientwaytobuildasecureelectronicvotingsystem{thatsupportwrite-inballots,onlydosobyrequiringthevotertohavesucientcomputationalpowertomakeencryptions.Thisagainisnotapracticalassumption. Wepresentaprotocolthatisbasedonhomomorphicencryptionandsupportswrite-inballots,wherethewrite-inballotscanpreparedbyanyoneinsidethevotingboothwithoutanyneedforanexternaldevicewithcomputationalpower.Ourprotocolsupportsbothuncoercibilityandveriabilityanddoesnotmakeanyassumptionsthatwouldbehardtosatisfyinpractice.Itisalsoagenericprotocolthatcaneasilybeaddedtoanyhomomorphicencryptionbasedvotingprotocol. Webelievethathavingathresholdrevocablepseudonymousprotocolhasmanypracticalapplicationslikewikis,collaborationandpeerreviewsystems,andmulti-playergames.Ourhybridvotingprotocol,ontheotherhand,isawelcomeadditiontotheveryimportantareaofelectronicvotingandespeciallytheauditmechanismgivesaveryusefulandpracticalwaytoinsuretheconsistencyandcorrectnessoftheelectronicandpaperballots.Furthermore,ourprotocolforsupportingwrite-inballotsgivesasolutiontoaproblemthatatrstsightlooksunsolvable.Thisisduetothepracticalneedofnothavinganycomputationalpower,yetrequiringreceipt-freenessandveriabilityatthesametime.Ourprotocoldoesthisinahomomorphicencryptionsetting,whichmakesthesolutionevenmoreremarkable.Apartfromthisnovelty,italsollsanimportantgapintheelectronicvotingliterature. 16

PAGE 17

CHAPTER2CRYPTOGRAPHICBUILDINGBUILDINGBLOCKSUSEDINOURPROTOCOLS Inthischapter,webrieyexplainsomecommonlyusedtechniquesincryptographythatwealsoemploy.Thesecanbeviewedasthetricksofthetrade,asmostcryptographicprotocolsarebasedononeormoreoftheseprimitives.Theirrequirements,propertiesandshortcomingswillbeintegraltothefollowingchaptersandassuchoneneedsatleastabasicunderstandingofthesetechniquesinordertograspthenerdetailsofourresearchareaandproposedprotocols. Thefollowingsectionsarenotmeanttobethorough,butshouldcoverthefundamentalideasandinsomecasessomebasicprotocols.Furthermoreweincludereferencesforfurtherstudyandforthecurrentstateoftheresearchareasforinterestedreaders. 2.1CryptographicHashFunctions Cryptographichashfunctionsaresimilartothehashfunctionsusedincomputing,functionsthatmaplargechunksoftextintosmallertextortoaninteger.Theyusuallyarerequiredtobeeasytocalculateandalsotomakeitcomputationallyinfeasibletocreatetextsthatmapintoaspecichashvalue.Cryptographichashfunctionsontheotherhand,alsorequiresomeadditionalproperties,makingconstructionoftext(orratheratextthatmapstothesamehashvalue)fromthehashinfeasible(i.e.,preimageattackresistant),andbeinguniform-i.e.,evenaonebitchangeinthetextshouldresultinanapproximately50%probabilityofchangeoneachbitofthehashvalue-arethemoreimportantones.Thedicultyofproducingtwotextswiththesamehashvalue(collisionresistance)isanotherimportantcharacteristicofcryptographichashfunctions.Theirmostcommonuseisdemonstratingdataintegrity[ 3 ]inawiderangeofprotocols.MD5(messagedigestalgorithm5)andSHA-1(securehashalgorithm)twoverypopularexamplesofhashfunctions,howeverinthelastfewyearssecurityweaknessesfoundbymanyresearchers[ 4 { 9 ]resultedintheseprotocolsbeingconsideredbrokenandcurrently 17

PAGE 18

mostmodernprotocolsandsecurityawareproductsusethenewgenerationhashfunctionslikeSHA-256[ 10 ].In2007,theNationalInstituteofStandardsandTechnology(NIST)startedapubliccompetitionforanewhashfunction1thatwillbecalledSHA-3. Therearealsokeyedhashfunctions-ormessageauthenticationcodes-whichapartfromdataintegrity(byusingahash)alsosuppliesauthenticity.HMAC[ 11 ](keyedhashmessageauthenticationcode)isthemostwidelyknownexampleofsuchahashfunction. 2.2SymmetricEncryption Anencryptionalgorithmisconsideredsymmetric,ifthesamesinglekeyisusedforbothencryptingtheplaintextanddecryptingtheciphertext.Symmetricalgorithmsarewidelyusedparticularlybecauseofthespeedofmodernalgorithms.Mostmodernsymmetricencryptionschemesfallintooneoftwocategories:BlockCiphersandStreamCiphers[ 1 ].Blockcipherstakeablockoftextandakeyandreturntheciphertext.Streamciphersontheotherhandgenerateasequencefromakeywhichcanthenbeusedtoencrypttheplaintextbitbybitorcharacterbycharacter. Popularencryptionmethodsallsharesomecommonproperties,consideredtoberequiredtopreventvariousattacksagainstthem.Forexampleobtainingthekeyfromtheciphertextordecryptingpartsofaciphertextusingknownplaintext-ciphertextpairsshouldbevirtuallyimpossible.Thecounterpartofcryptologythatstudiessuchpotentialweaknessesiscalledcryptanalysis. DES[ 12 ],whichwasdesignedbytheNSA,istherstpopularmodernsymmetricencryptionmethod.Inthe80'sand90'sitwaswidelyused,lateronmostlyintheformofTriple-DES[ 13 ],invariousapplicationsrangingfromthepasswordsysteminUNIXtoInternetapplications.However,asresearchersfoundweaknesses[ 14 15 ]-whichincidentallycanbeconsideredthebeginningofmoderncryptanalysis-andasthekeysizewasbeginningtobetoosmallformodernhardware,itsusewasreplacedbymoresecure 1http://csrc.nist.gov/groups/ST/hash/sha-3/index.html 18

PAGE 19

alternatives.In2001,NISTselected(andtheUSGovernmentadopted)Rijndael[ 16 ]asthenewstandard,knownasAES(advancedencryptionstandard),whichisstillinwideuse. 2.3PublicKeyCryptography Oneshortcomingofsymmetricencryptionalgorithmsistheneedforboththesenderandthereceivertoprivatelyagreeonakeybeforehand.Inmostcasesthisisnotaproblem,butinmanycases-especiallywiththeadvanceoftheInternet-itisaseriousissue.Asymmetricencryptionisacleversolutiontothisproblem:Thekeythatisusedforencryptionandthekeythatisusedfordecryptionaredierent.Therearetwokeys,usuallyonepublicandoneprivate,sothatAlicecanuseBob'spublickey2(whichhepublishespublicly)tosendhimanencryptedmessage(ciphertext)thatonlyBob(usinghisprivatekey)candecrypt.Inpractice,theencryptedmessagewillusuallybeakeyfora(muchfaster)symmetricencryptionalgorithm,whichwillthenbeusedforcommunication. Insomeasymmetricencryptionalgorithms,itisalsopossibletousetheprivatekeytoencryptandthepublickeytodecrypt.Thispropertyisespeciallyusefulforsigningmessages.Thesendercanencryptthemessagewithhisprivatekeyandthereceivercanverifytheauthenticityofthemessagebydecryptingtheattachedciphertextusingthesender'spublickey,andcomparingittotheplaintext.Thereareseveralpopularasymmetricencryptionschemes(RSA[ 1 3 17 ],ElGamal[ 3 ],Paillier[ 18 ],etc.),herewegivethealgorithmsfortwoofthese: 2ItiscustomarytousethenamesAliceandBobforparticipantsincryptographicprotocols.ThelettersAandBarethenusedasshorthands,andthecorrespondingpronounsareusedwithinthetext.Weemploythesameconventioninthisdissertation.NotethatsometimesratherthanAliceandBob,itiscommonpracticetouseothernamessothattheinitiallettersofthenamesandtheparty'srolesagree.ForexampleVictorandPeggyfortheVerierandProverinzero-knowledgeproofs. 19

PAGE 20

2.3.1RSA RSAisoneoftherstpublickeyencryptionsystems,whichisstillinwideusetoday.Itisbasedonthedicultyoftheintegerfactoringproblem. KeyGeneration: 1. Chooselargeprimespandq. 2. Computen=pq. 3. Compute(n)=(p)]TJ /F1 11.955 Tf 11.95 0 Td[(1)(q)]TJ /F1 11.955 Tf 11.95 0 Td[(1).(Euler'stotientfunction) 4. Choosearandomintegerelessthan(n),co-primewith(n). 5. Computed,suchthatde1(mod(n)). 6. nandeformthepublickey,whiledbecomestheprivatekey. Encryption:Toencryptamessagem,computecme(modn). Decryption:Todecrypt,onetakestheciphertextc,andcomputesmcd(modn). ForstandardsandbestpracticesforusingRSAseetheNISTpublishedstandard[ 19 ].BonehandFranklin'spublication[ 20 ]isthemostinuentialworkongeneratingsharedkeysforreal-lifeuse.Forthe30yearssinceitsrstinception,manyresearchersanalyzedthesecurityofRSA.Bonehreviewstheliteraturefortherst20oftheseyears[ 21 ].[ 22 { 24 ]havesomemorerecentdevelopmentsinthisarea. 2.3.2Paillier Paillierisahomomorphicencryptionsystem,i.e.,formessagesaandb,andakeyK,itholdsthatEK(a)+EK(b)=EK(ab),whereEK(x)standsforencryptionusingthekeyK.AlthoughnotaswidelyusedasRSAinpractice,thehomomorphismpropertymakesitapopularchoiceformanyprotocols,especiallyinacademicresearchpapers. Letn=pq,wherepandqareprime,andgsatisesgcd(L(g(modn2)),n)=1,whereL(u)=u)]TJ /F4 7.97 Tf 6.58 0 Td[(1 nand=lcm((p)]TJ /F1 11.955 Tf 11.96 0 Td[(1)(q)]TJ /F1 11.955 Tf 11.96 0 Td[(1)). Thepublickeythenwouldbe(n,g)andtheprivatekey.Toencryptm
PAGE 21

ToseewhyPaillierisahomomorphicencryptionsystem,assumethatwehavetwomessagesm1andm2.Thesewillbeencryptedintogm1rn1andgm2rn2,sothattheirproductwillbegm1+m2(r1r2)n,whichistheencryptionofm1+m2,leadingtoE(m1)E(m2)=E(m1+m2),thehomomorphismproperty.Notethatallcomputationsaredonemodulon2. ThepublicationsofPaillier[ 18 ]andBaudronetal.[ 25 ]havemoredetailsontheworkingandsecurityofthiscryptosystem.Damgard[ 26 ]showshowtogiveazeroknowledgeproofofcorrectdecryptionamethodtomakethecryptosystemathresholdencryptionscheme.RuizandVillarshowhowtogetapubliclyveriablesecretsharingprotocolusingPaillier[ 27 ]. SincePaillieristhecryptosystemusedinourproposedprotocols,andinmanyotherpreviousprotocols,wegivesomezeroknowledgeproofs(seeSection 2.7 )neededfortheapplicationofelectronicvoting. NotethatRSAishomomorphicformultiplication,whilePaillierishomomorphicforaddition.Additionhomomorphismismoredesirableforvotingbecauseofthesizecomplexityoftheballotsandoutput. 2.3.2.1ProofofcorrectdecryptionofthePaillierthresholdsystem ThePaillierThresholdSystemreliesonseveralauthoritiessharingthesecretkey.Topreventanymaliciousauthorityofobstructingthedecryptionphase,eachauthorityneedstosubmitzero-knowledgeproofsofcorrectdecryptionoftheirshares.Theconstructionsandzeroknowledgeproofsinthissectionarefrom[ 28 ]. LetGbeacyclicgroupofunknownorderm.LetgbeageneratorforandhanelementofG.WewanttoshowthatdiscreetlogarithmofanelementGinthebasisgandofanotherelementHinthebasishareequal,withoutmakingtheordermknown.Tosimplifytheuseinpracticalapplications,anon-interactivezero-knowledgeproofisgiven.Letrbearandomnumberin[0,A].Computex=grandx0=hr.LetebethehashvalueH0(g,h,G,H,x,x0),whereH02[0,B].Lety=r+es.Aproofof 21

PAGE 22

equalityofdiscreetlogsissuchapair(e,y)2[0,B][0,A].Itischeckedbytheequatione=H0(g,h,G,H,gy=Ge,hy=He). 2.3.2.2ThresholdversionofPailliercryptosystem InthissectionwedetailthethresholdversionofthePailliercryptosystem,includingthezero-knowledgeproofsofcorrectdecryption. KeyGeneration.Choosen=pq,suchthatgcd(n,'(n)=1).Letm=(p)]TJ /F4 7.97 Tf 6.59 0 Td[(1)(q)]TJ /F4 7.97 Tf 6.59 0 Td[(1) 4.LetbearandomelementfromZn.Randomlychoose(a,b)2ZnZn.Setg=(1+n)abn(modn2).ThesecretkeySK=missharedwiththeShamirscheme:let0=m,randomlychoosetvaluesaiinf0,...nm)]TJ /F1 11.955 Tf 11.99 0 Td[(1g.Letf(X)=ti=0aiXi.ThesharesioftheithserverPiisf(i)(modmn).ThepublickeyPKconsistsofg,nandthevalue=L(gm)=m(modn).LetVK=vbeasquarethatgeneratesthesubgroupofsquaresinZn2.ThevericationkeysaregeneratedbyVKi=vsi(modn2),where=s!andsisthenumberofservers. Encryption.ToencryptamessageM,randomlypickx2Znandcomputec=gMxn(modn2). ShareDecryption.TheithplayerPicomputesthedecryptionshareci=c2si(modn2)usinghissecretsharesi.Usingthegivenproofofequalityofdiscretelogarithms,hemakesaproofofcorrectnessbyshowingc4(modn2)andv(modn2)havebeenraisedtothesamepowersiinordertoobtainc2iandvi. Combining.Assumingthatatleasttdecryptionshavevalidcorrectnessproofs,letSbethesetoftvalidshares.TheplaintextiscomputedbyM=L Yj2Sc2Sjj(modn2)!1 42(modn2) whereSj=Qj02Snfjgj0 j0)]TJ /F4 7.97 Tf 6.58 0 Td[(j2Z 2.3.3EllipticCurveCryptography FirstintroducedbyVictorMillerandNealKoblitz[ 29 ],ellipticcurvecryptographyusesalgebraicpropertiesofellipticcurvestoconstructpublickeyencryptionsystems. 22

PAGE 23

TheadvantageoversystemslikeRSAisthatthereisnosub-exponentialmethodofdeconstructionofthekeys,makingthemsometimesmoreecientthanothersimilarsystems.ForadetailedandtechnicaloverviewseetheoverviewofLopezetal.[ 30 ]. 2.4BlindSignatures Althoughcryptographicsignaturesareusedextensivelyinmanyprotocols,inmanycasesthereisaneedforawaytosignamessagewithoutactuallybeingabletoreadit.Inanutshell,thisiswhatblindsignatures[ 1 31 { 33 ]accomplish.Onepotentialapplicationfortheseschemeswouldbetousethemfornotarypurposes-ifthesigneddocumentissecretandvaluable.Anotherwouldbetousethemintime-stampprotocols.Oneresearchareawhereblindsignatureswerefundamentalformostsolutionsise-cash.Theabilitytogete-cashfromauthoritieswithoutactuallymakingittraceableisaproblemwhereblindsignaturesweresuccessfullyapplied. Toseehowablindsignatureschememightwork,considerthissimple(yetnotverysecure)methodbasedonRSA:Togetablindsignatureforamessagem,thesenderrstgeneratesarandomnumberr,whichisco-primewithn=pq.HethencalculatesM=mremodn,whereeisthepublicexponentintheRSAsystem,andsendstheresulttothesigningauthority.TheauthoritysignsthemessagebyndingS=Mdmodn,wheredistheprivatekeyoftheRSAsystem.Nowthesendercangetthesignatures=Sr)]TJ /F4 7.97 Tf 6.59 0 Td[(1modn.Becauserisrandom,thesignergetsnoinformationaboutthemessage,yetthereceivercancheckthesignaturebycomparingstomd. Researchonblindsignatureswasveryactiveinthe80'sand90's,whereprotocolswithdierentsecuritycharacteristicswereproposedandwheretheseprotocolswereusedfordierentproblems[ 34 { 36 ]. 2.5Mix-nets Mix-netswereinventedbyChaum[ 37 ],withtheaimofsendinganonymousemail.Laterimprovementsmadeitusefulforseveralotherpurposes.Thekeyideaistoputseveralmessagesintosecure`envelopes',whicharelatermixedbyseveralnodessothat 23

PAGE 24

attheendthelinkbetweentheleavingmessagesandarrivingmessagesarelost.Thechallengeisensuringthatthemixes(shues)aredonecorrectly(i.e.,withoutoneofthenodescheatingbychangingoneormoreofthemessages)andeciently.Thisisusuallyhandledbyre-encryptingtheencryptedinputsandhavingthenodessubmitzeroknowledgeproofsthatthere-encryptionsarecorrect,withoutrevealingtheexactmappingofthemix.Ofcourse,thelengthoftheseencryptedmessagesneedtobeuniform,sothatonecannotdiscoverthemappingbyobservingthelengthsoftheinputandoutputtoamix.Designingecientmix-netsisstillanactiveresearchtopic[ 38 { 42 ]. 2.6SecretSharingProtocols Asecretsharingprotocolisusedtoshareasecret(usuallyjustakey)amongmanyparties,suchthatthekeycanonlybereconstructedwhenallpartiesagree.Severaldierentwaysofsuchprotocolsareproposedovertheyears[ 1 28 ].Topreventvariousproblems,someimprovedprotocols-calledthresholdsecretsharingprotocols-aredesignedsothatkoutofnoftheplayers(kn)aresucienttoreconstructthesecret.Thesearealsoguaranteedtobesecureeveniftherearecertainnumberofmaliciousparticipants[ 25 ].Recentlysomenewprotocolsarepublishedwherethereisnotevenaneedforacentralauthoritytodistributethesharesofthekey[ 43 44 ].MethodspublishedbyFouqueandStern[ 45 ]aswellasbyDamgardandKoprowski[ 46 ]canbeusedtoturngenericsecretsharingprotocolsintotrusteddistributorfreeprotocols. Averysimplesecretsharingprotocolwouldgeneraten)]TJ /F1 11.955 Tf 11.96 0 Td[(1randombinarynumbersri.Thesenumbersarethendistributedtotherstn)]TJ /F1 11.955 Tf 10.48 0 Td[(1players,whereasthelastplayerwouldgetkr1r2...rn)]TJ /F4 7.97 Tf 6.59 0 Td[(1wherekisthesecretbeingsharedandisbitwiseXOR.Toreconstructthesecret,allnplayersneedtocometogetherandcombinetheirpartsusingthefunctionagain. Togetasimplethresholdschemewheretherearenplayersbutk
PAGE 25

auniquepolynomialofdegreek.Notethatthismethodwouldalsomakeitpossibletorecognizeafewmaliciousplayersgivingfalseinformationifsucientlymanyplayersarehonest.ThismethodistherstthresholdsecretsharingprotocolpublishedbyAdiShamirin1979[ 47 ]. 2.7ProofsofKnowledge(Zero-KnowledgeProofs) FirstintroducedbyGoldwasser,MicaliandRacko[ 48 ],theseareprotocolswhereoneplayercanproveknowledgeofsomefacttotheotherplayer,withoutactuallyrevealingthefact.Theirroleisfundamentalinmanycryptographicprotocols,whensomeparticipantscannotbeassumedtobehonest.Usuallybasedonthechallenge-response-vericationparadigm(asinthecut-and-chosemethod),ingeneraltheycanbemadenon-interactiveusingtheFiat-Shamirprotocol[ 25 49 ].Forsomepracticalexamplessee[ 50 ],andforamoretheoreticoverviewsee[ 51 ]. Inthefollowingsectionswegivetwoexamplesofzeroknowledgeproofs.Therstoneisusedtoprovethatanencryptedtextistheencryptionofastringinagivenset.Thisproofhasseveralapplications[ 25 ]inthecryptographicprotocolsarea.Thesecondoneisrelatedtomix-nets.Itisusedtoprovethatashueperformedduringamixiscorrect,i.e.,thereisaone-to-onemappingbetweentheincomingandoutgoingciphertextssothattheirplaintextsarethesame. 2.7.1ProofofMembershipofaGivenSet Toprovethattheencryptedvoteisactuallyvalidandwell-formed,i.e.,itisasinglevoteforasinglecandidate,weuseazero-knowledgeproofshowingthattheplaintext(unencryptedvote)liesinasetofstringsconsistingofsinglevotesforcandidates.Inotherwords,weshowthatc(x,y)isanencryptionofamemberofthesetS=f1,M,M2,...,Mp)]TJ /F4 7.97 Tf 6.58 0 Td[(1g.Thisisaccomplishedusingthezero-knowledgeproofdetailedin[ 25 ],whichisthesourceofthissection. LetSbethesetofmessages(asdescribedaboveinourcase),andc=gmirN(modN2).ToprovetoVthatcencryptsamessageinS. 25

PAGE 26

1. TheproverPpicksarandominZN.Herandomlypicksp)]TJ /F1 11.955 Tf 12.1 0 Td[(1valuesfvjgj6=iinZN,andcomputesui=pN(modN2)andfuj=vNj(gmj=c)ej(modN2)gj6=i.HethensendsfujgtoV. 2. Vchosesarandomchallengeein[0,A)andsendsittoP. 3. Pcomputesei=e)]TJ /F1 11.955 Tf 12.45 0 Td[(j6=iej(modN)andui=reig(e)]TJ /F4 7.97 Tf 6.59 0 Td[(j6=iej=N(modN)andsendsfvj,ejgj2f1,...,pgtoV. 4. Vchecksthate=jej(modN)andthatvNj=uj(c=gmj)ej(modN2)foreachj2f1,...,pg. 2.7.2ProofofKnowledgeforaRandomShue Inourwrite-inprotocol(Chapter5)weusethesameunderlyingmechanicsastheVector-BallotProtocolfromKiayiasandYung.Thefollowingzero-knowledgeproofsaretakenfrom[ 52 ].Herewegivethenon-interactiveversionforsimplicity. DenethepredicateQm,Vcipheras:Qm,Vcipher(r)=1ipk(r,m)=V whereistheencryptionfunction.Alsonotethatproofsofknowledgesofpredicatescanbecombinedbyconjunctionsanddisjunctionseciently[ 52 ]. TherandomizationofaciphertextCisdonebyC0=pk(0)C.BydeningQC1,C2,C01,C02shue(r1,...,rk,)=1iC0(j)=pk(rj,0)Cj WereducetheprooftotheusualproofofcorrectencryptionofPaillier,bycombiningthevectorballotsasdisjunctionsandconjunctions. 2.8TheCut-and-ChooseMethod Thismethodisacommonwayofconstructingzeroknowledgeproofs.Thenamecomesfromawell-knownpuzzle:HowcanAliceandBob,whodonottrusteachother,cutacakeintotwopartswithoutmakinganymeasurements,sothatbotharesatisedwiththeirhalf?ThesolutionofthispuzzleisthatAlice(orBob)cutsthecakewhileBob(Alice)picksthehalfhe(she)prefers.TheideaisthatsinceBobwillpickthelargerone 26

PAGE 27

ifthehalvesarenotthesamesize,Alicewillcutthecakefairly.ThewaythisideausuallyworksincryptographyiswhenPatrickwantstodemonstratetoVictorthatanumberusedinaprotocolsatisesacertainproperty,withoutshowingitdirectly,asthiswouldrevealthesecretthatshouldremainhidden.Toaccomplishthis,Patrickselectsnnumbersthatsatisfythisproperty,andVictorrandomlychosesn)]TJ /F1 11.955 Tf 12.62 0 Td[(1oneofthesenumbersandchallengesPatricktodemonstratethatthepropertyissatisedforthese,whichPatrickdoes.Tocheat,PatrickneedstoguesswhichnumberVictorwouldchose,whichhasaprobabilityofn)]TJ /F4 7.97 Tf 6.59 0 Td[(1 n,meaningthatforlargenVictorcanbeconvincedthatPatrickisnotcheating. 2.9MasterKeyGeneration SometimesitisdesirabletohaveamasterkeyK,whichhasaccesstoalltheinformationtheunderlyingkeysKihave(i.e.,candecryptthemessagesthattheunderlyingkeycan),butwhichcannotbeconstructedusingtheunderlyingkeys.KieslerandHarn[ 53 ]suggestsasolutionforthisproblem. Hereisasimplemasterkeygenerationprotocol,duetoAkl[ 54 ].AssumetherearenhierarchaluserlevelsUi,suchthatUihasaccesstoalluserlevelsUjforwhichij.Thealgorithmtogeneratethekeysareasfollows.Allcalculationsaredonemodulon=pq. 1. ThecentralauthoritygeneratesarandomkeyK0. 2. EachuserUiisassignedapublicintegerti=QUnUipn,wherepiisasmallprime,andakeyKi=kti0. 3. NowuserUicangeneratethekeyforUjbyKi=Kti tjj.Thisonlyworksifti tj,whichisonlytruewhenij. 2.10SummaryofBuildingBlocks Thesearethemostimportantconstructsthatwillhaveanintegralroleintheprotocolswepropose.Whilecryptographichashfunctions,publickeyencryption(specicallyPaillier),secretsharingprotocolsandzero-knowledgeproofswillbedirectlyorindirectlyusedinmorethanoneprotocolwepropose,blindsignaturesareexplained 27

PAGE 28

becauseoftheirrelationtofairblindsignaturesthatwillbediscussedlater.Ontheotherhand,mix-netswillbeusedwhenconstructingwrite-inballotsupportforelectronicvotingsystems,andmasterkeygenerationwillbeusefulinaddingaccesscontroltoourrevocablepseudonymityprotocol. 28

PAGE 29

CHAPTER3REVOCABLEANONYMITY 3.1IntroductiontoRevocableAnonymity Anonymity,inadditiontoprivacy,authenticity,andintegrity,isaprimaryapplicationofcryptography.Severalproblemsrequiremethodssupplyinganonymity,anditisthekeyissueforsomeproblemsintheeld,e.g.,e-cashande-voting.SeveralgeneralpurposenetworkslikeAnonymizer1orTor,2ormorespecicanonymousnetworks,liketheP2P(peertopeer)networkFreeNode,3havebeendesignedovertheyears,andtheirpopularuseunderscorestheneedforanonymityintodaysworld. Althoughthesenetworksaretechnicallysound,therearesomecaseswhereanonymityisrequiredbutthesenetworksarenotsucientlyequippedforpracticaluse.Oneexampleisthatsometimesitispreferablenottohavecompleteanonymity,usuallytopreventusersfrombreakingtherulesorbeingabletostopcriminalsbynotlettingthemhidebehindtheanonymitysuppliedbythesenetworks.Awellknownexampleforsuchaproblemise-cash,wheremoneylaunderingandblackmailisaseriousproblemthatcannotbesolvedwithcompletelyanonymousnetworks.Theseissuescausedresearcherstodeveloprevocableanonymity,whereauthoritieshavethepowertoidentifyusersparticipatingintheprotocoliftheneedarises. Eventhoughthatisusuallyasucientsolutionwhenthereisoneauthority(likeajudgeinreallife)whoshouldhavethepowertodecideifanonymityshouldberevokedforauser,insomeapplicationsgivingthismuchpowertoasingleentityisnotideal.Ourproposedprotocolisapracticalsolutionforthoseapplications.Itdistributesthepowertorevoketoseveralauthorities-thankstoShamir'ssecretsharingprotocol,ensuringthatat 1http://www.anonymizer.com/2http://www.torproject.org/3http://freenode.net/ 29

PAGE 30

leastsomeminimumnumberofthemagreeonthenecessityforrevocation.Furthermore,itassignspseudonymstousers,whichmakesitpossibletohaveadistinctpresence(orreputation)inthenetwork,sothatmessagesfromthesameusercanbeveriedtobeso,whilestillbeinganonymousorratherpseudonymous.Anotheradvantagetotheuseofpseudonymityfortheregistrarsisthepossibilitytoseeallthemessagesthataspecicusersent,whichcanbeusedtodecideifrevocationisindeednecessary.Ourmaincontributionistheuseofpseudonymityalongsideaschemegivingapossibilityofrevocationwhenasucientlylargegroupofauthoritiesagreeontheneedforit. 3.2ProblemDenition Theproblemweareaddressingcanbespeciedingeneraltermsasdesigningaprotocolthatsimulatesamessageboardsatisfyingthefollowingrequirements: 1. Postingtotheboardrequiresregisteringapseudonymandanasymmetrickeypairassociatedwithit.Howevertheregistrarshouldnotbeabletodiscoverthelinkbetweentheusersandpseudonyms.Registrationwillrequireauthentication,howevertheextenttothiswilldependontheapplication.ItcanvaryfromrealwordauthenticationlikedriverslicenseIDorsocialsecuritynumber,tojusttheIP(Internetprotocol)addressorevenanemailaddressoftheuser. 2. Theusercanpostseveralmessagesusingthesamepseudonym.Sincethesemessageswillneedtobesigned,nouserwillbeablesendamessagewithoutapseudonym,orusingafakeone. 3. Ifkoutofnregistrarscooperate,thelinkbetweenthepseudonymandtheusercanbeidentied.Sinceallmessagesaresignedbyakeyassociatedwithaspecicpseudonym,allthemessagesfromthatparticularuserwillbeknown.Iftherearelessthankregistrarscooperating,thepseudonymcannotpossiblyberevealed. Inadditiontotheserequirements,securityandprivacyconcernswillalsoneedtobesatised. 3.3PreviousWork Inthecryptographicprotocolsarea,thereareseveralresearchproblemswhicharesimilartoourproblem.ElectronicVoting-tosomeextent-sharessomesimilaritiestothisproblem,asitalsorequiresauthenticationandanonymity.Howevere-cashisprobablythemostsimilar,becauseunlikevoting,e-cashprotocolsarenotusedjustforonemessage. 30

PAGE 31

Themajordierencebetweenbothoftheseproblemsandtheproblemathandistheneedtoeliminateduplicates{inourproblemitispermissibletosendseveralmessagesafteroneregistration.Anotherdierenceistheuseofpseudonyms,whichisnotusedine-cashprotocols,asitwouldlinktransactionsandtherebyreduceanonymityandprivacy.Asnotedbefore,thee-cashliteraturehasmanyideaswhichmightbeagoodstartingpointforthisprotocol.Themainreasonforthisis(otherthanthegeneralsimilarityoftheproblems)thatinrecentyearsmuchresearchhasbeendonetopreventtheuseofe-cashforcriminalactivitieslikemoneylaundering.Thishasresultedinmanyprotocolswheretheanonymitycanbecompromisedifauthoritiesseeacriminalactivity.Themostcommonlyusedprincipleintheseprotocolsistheuseoffairblindsignatures. Thereareseveralschemeswhichemployrevocableanonymityschemesinthecontextofe-cash[ 55 { 59 ].Themaindierencesbetweentheseprotocolsareusuallyinhowmuchtheauthorities/trusteesareseparatedfromthee-cashissuerbanks.Someoftheseprotocolsusemarkerstolaterdetectthemisusedorunfairlyreceivedmoney[ 58 59 ],whileothersrecovertheidentityoftheuser.Therearealsodierenceswithrespecttoeciencyanddefensestosomeesotericattacksagainstthesystems. Preventingcriminalsfromusinge-cashsystemsfortheirownpurposeswasthekeyreasonolderprotocolswerenotconsideredpractical.In1995,Stadleretal.proposedavariationonblindsignatures,calledfairblindsignatures,specicallyforthisproblem[ 60 ].Camenischetal.designedane-cashsystemwheretheanonymitycanberevokedbythirdpartytrusteestopreventcriminalsfromusinganonymityfortheirownpurposes[ 57 ].Thedierencefrompreviousworkwasthatitdoesnotuseaninecientcut-and-pasteschemeanddoesnotnecessitatethetrusteestobepartoftheauthorizationprocess.JakobssonandYungproposeaprotocolwhichalsoguardsagainstpossibleattackslikecoercionofcashissuingbanks[ 55 ].Althoughitmightbepossiblefortheseprotocolstobemodiedtobeusedforourpurposes,theneedforminimalinvolvementoftheauthoritiesoneachtransactionandtherequirementofkoutofnsecuritythresholdturnouttobeserious 31

PAGE 32

problems.Anotherimportantproblemwouldbe{similartotheproblemwithgeneralpurposeanonymizers{thecasethatmessagescannotbelinkedtothesameuserwithoutrevocation,whichisarequirementinourmodel. Therearealsosomegenericschemesforcontrolledanonymity.Claessensetal.haveseveralpublications[ 61 { 63 ]aboutthisproblemaspartofthe\APES:AnonymityandPrivacyinElectronicServices"workgroupintheKatholiekeUniversiteitLeuven,Belgium.BoththeirworkandtheworkofKopselletal.[ 64 ]haveasapurposethedesignofgeneralmethodsforcontrollinganonymity,usuallybuildontopofageneralpurposeanonymouscommunicationsystemlikeDC-nets[ 65 ]orTor(theonionrouter).Butsincethisserviceisbasedonageneralpurposeanonymousnetwork,applyingittoourproblemwouldbedicult.Onereasonistheassumptionofananonymousnetworkwheretheprotocolcanoperate.Anotherpointistheneedtocombinethejudge,thelawenforcementagencyandtheauthoritiesintoonewithoutjeopardizinganonymity,becausethesepartiesarealldierententitiesinthesenetworks.Butthemostseriousproblemisthataprotocolconstructedthiswaycanonlyidentifythesenderforeachmessageseparately,andthereisnoeasywaytondallmessagessentbythesameuser(withoutopeningthemall),ordeducingiftwomessagesaresentbythesamesenderwithoutopeningthem.Inotherwords,pseudonymsarenotused,andeachmessagehasineectadistinctrandompseudonym. Severalotherpublicationsproposedrelatedprotocols.ZwierkoandKotulskiproposeaschemewhereauthenticationisdoneonagrouplevel,i.e.,anyoneinacertaingroupcanauthenticatehimselfasamemberofthegroup,buthisexactidentityisnotknownoutsidethegroup[ 66 ].Revocationthenisdonebyidentifyingtheexactmemberofthegroupthatinitiatedtheprotocol.Wierzbickietal.proposeaprotocol,designedespeciallyforad-hocnetworks,butwhichcanbeappliedtoawiderrangeofproblems[ 67 ].Itsupportsauthentication,withpossiblerevocations.Howeverastheprotocolfocusesonnetworkbasedattackslike`maninthemiddle,'eachmessage(orratherconnection)carriessome 32

PAGE 33

overhead,whichwouldaectperformanceinmostsettings.AnothersimilarprotocolisproposedbyLysyanskayaetal.[ 68 ],howeverlikemanyothersimilarprotocolsitdoesnotsupportrevocation. 3.3.1APES:ControlledAnonymousConnections Claessensetal.propose3dierentmethodsforcontrolledanonymity[ 61 ]: 3.3.1.1Basicsolution Theentitiesare:theinitiatorwhoistryingtoaccesstheInternetanonymously,themixentityprovidingtheanonymityservice,themanagemententitydistributingticketsneededfortheserviceandhavingtheabilityofrevocation,whenthetrusteeneedstocooperate. ToaccesstheInternet,theinitiatorgeneratesasessionkey,wherethepublickeywillbetheticket.Usingafairblindsignature,themanagemententitysignstheticket,aftertheinitiatorauthenticateshimself.Thecommunicationlogsarestored,whichenableslaterrevocation.ToconnecttotheInternet,theinitiatorsendsthesignedticketandtherespondersaddresstothemixentityalongwithaproofofknowledgeoftheprivatekeyoftheticket(asasignature).Themanagemententityveriestheinitiator'ssignature,logstheticketandsignatureinformation.Themixentityontheotherhandsetsupasecurechannelbetweentheinitiatorandresponder.Sincethecommunicationismixed,thecorrespondencebetweentheinitiatorandresponderarehidden.Fortherevocationprocess,themanagemententityandthetrusteeretrievethestoredinformationabouttheticketandusingtheunderlyingfairblindsignaturerevocation,determinetheidentityoftheinitiator. 3.3.1.2Distributedsolutions Toincreasethelevelofanonymityanddecreasetheamountofnecessarytrustonthemixentity,thepreviousprotocolcanbegeneralizedtoadistributedsystem.Twosolutionsaregiven,onebasedonOnionroutingandonetheCrowdssystem. 33

PAGE 34

Althoughsimilarindesigntoourmodel,thereareseveraldierencesbetweentheseprotocolsandourproposedprotocol.Themostimportantoneisagainthelackofpseudonyms.Here,dierentconnectionsfromthesameuserarenotlinkablewithoutrevocation,whileitisarequirementinourmodel.Anotherdierenceistheuseof(orlackof)thresholdsystemfortherevocationprocess. 3.3.2PseudonymousCommunicationsInfrastructure InhisPhDthesis[ 69 ],Goldbergdenesthenymityofatransactiontobethelevelofidentitythatisrevealed.Thesearecategorizedas: 1. Verinimity:Socialsecuritynumber,addressetc.Linkabilityandpermanencearethetwokeypropertiesforthistype. 2. PersistentPseudonymity:Pseudonym(inthepennamesense).Anothertypecouldbedenedasunforgability,wheresomeoneelse'suseofthesamepseudonymisprevented. 3. LinkableAnonymity:Prepaidphonecards,frequentpurchasercardsetc. 4. UnlikableAnonymity:Cashetc. GoldbergthencontinuestodesignananonymousIPinfrastructure(AIPI),whichhasthreekeycomponents: 1. TheIPWormhole:Thisisacommunicationchannel,whichcanbesetupbyaclientbetweenhimselfandanexitnode,andusedtoprotecttheidentityoftheclientfromadversaries.Althoughtherearesomedierences,theexitnodesaresimilartoproxiesthatareusedinotheranonymizernetworks,andtheWormholeIPisjustastructurethatusestechniquessimilartoIPtunnelingtohidetheidentityoftheclientfromtherestoftheworld. 2. TheNetworkInformationDatabase:Thisisadatabasethatkeepsalistofalltheexitnodesalongwiththeirprivatekeys. 3. ApplicationLevelProxies:TheseareproxiesthatsanitizetheincomingdataforanonymityandtoprotectAIPIfromattacksorfrommalicioususes. ThesimilaritiesofGoldberg'sworkandourworkisthatanonymityisnotrevocable.Furthermore,althoughthedetailsarenotstatedhere,thisprotocolisdesignedasalayer 34

PAGE 35

ontopofthecurrentlyusedTCP(transmissioncontrolprotocol).Hisprotocolismuchmoregeneral,buthedoesnotconsiderrevocation. 3.3.3AnonymousPublication GoldbergandWagnerproposeaprotocolwhichfeaturesanonymouspublication[ 70 ].Theideaistouserewebbersasthebackbone.Theserewebbersareverysimilartonodesusedinonionrouting,exceptrewebbersoperateontheapplicationlevel,soinawaytheyoerasimpliedversionofonionrouting.Therewebbersmakeitpossibletohidethelocationofthemainservers.ThisisaccomplishedbynestingtheURLs(uniformresourcelocator),onlytheimmediatenodeonthepathbeingvisible,therestbeingencrypted.Ontopofthesearetheso-calledtazservers.Theseserverssupplythemainpublications,usuallyinanencryptedmanner.Thispreventslocatingtheserverbysearchingthetextafteronereceivesadocument.Thetazserversalsosupportpseudonyms,whichmakesthemmoreinteresting.Thesimilaritiesofthissystemandoursuggestedsystemiseasytosee,bothsupplyawaytopublishdocuments(ormessages,thereisnorealdierence)fromauserwithapseudonym.Butthewaytheyworkisverydierent.Inoursystemregistrationisrequired,sothereisanauthenticationrequirement,whereasthereisnonewhenusingtazservers.Alsotazserversdonotsupportanonymityrevocation,althoughthisdoesnotmeanthattheIDorlocationoftheservercanneverbediscovered. Whilesomeoftheseprotocolsaremoregeneric(andhencehavemorerequirementsfromtheenvironmenttheycanbeusedin)thannecessary,theothershavenopseudonymorrevocabilitysupport.Inshort,neitheroftheseprotocolscanbeusedasasolutiontoourproblem,whichistohaverevocablepseudonymitycombinedwithathresholdschemeforpossiblerevocations.Inthenextsectionwegiveourproposedprotocolwhichsolvesthisproblem. 3.4OurContribution:RevocablePseudonymityProtocol Theprotocolisbasedonthefairblindsignatureprotocolusingcut-and-choose,designedbyStadleretal.[ 60 ].Itusesfairblindsignaturestoregisterthepseudonym-key 35

PAGE 36

pair,withouttheregisteringpartyseeingthepseudonym.Thiswaythelinkbetweentheuser'sidentityandthepseudonymcanonlybeuncoveredbyusingtherevocationprocedure.Furthermore,thekeyrequiredfortherevocationprocedureissharedbetweenmultipleauthoritiesusingathresholdsecretsharingsystem. Beforetheregistrationphase,theregistrarswillhaveobtainedasharedkeytobeusedincaserevocationisrequired.Duringtheregistrationphase,theuserregistersapseudonymandanassociatedpublickey,whichthesignerwillnotbeabletoseeandthereforewillnotbeabletolinkafterwardstotheuser.Aftertheregistration,theuserwillbeabletosubmitmessagesusingthepseudonymandaddingasignature,whichcanbeveriedwiththeassociatedpublickey.Theregistrarswillsaveatranscriptoftheregistrationphaseinadatabase,whichcanlateronbeusedtorevokeanonymity. 3.4.1Participants Beforegivingacompletedescriptionoftheprotocol,welisttheinvolvedparties: TheuserU,whoistryingtoregisterapseudonymPanditsassociatedpublickeyPK. ThenregistrarsRi,whowillhavethepowertotracetheuserofanymessage,whenkofthemagree.Theregistrarswillonlybeanactivepartoftheprotocolduringapossiblerevocation. ThesignerS,whowillbesigning(P,PK),therebygrantingtheuseraccess.Scanbeoneoftheregistrarsoradierententity.SwillneedtobeabletoauthenticateU,butcanalsodelegatethisprocesstoanothertrustedparty. Thebasicscenariowillstartwiththeuserregisteringapseudonymtothesigner,wherebythesignercheckstheauthenticationoftheuserandgivesthepseudonymaccessattheend.Theuserwillthenbeabletopostseveralmessagesusingthepseudonym,withoutbeinglinkedtoit.Wewillalsodescribehowtheregistrarsmightrevoketheanonymityoftheuserbyestablishingthelinktohispseudonym,ifasucientnumberofthemagreetodoso. 3.4.2Parameters Table 3-1 liststheparameters,variablesandfunctionsusedintheprotocol. 36

PAGE 37

Table3-1. Revocablepseudonymityprotocolparameters (N,e)andd Thesigner'spublickey,andprivatekey,respectivelyER Theregistrar'sencryptingfunction.Itcanbedecryptedbykoutofnregistrars.Thekeyscanbedistributedwithoutatrustedauthorityusinganyoftheprotocolsdevisedforthispurpose[ 43 44 ]H Aone-waysecurehashfunctionp Asecurityparameter.Increasingpwilldecreasetheforgingprobabilityexponentially,butwillincreasetheoverheadlinearlym TheconcatenationofPandPK,separatedbyadelimiter 3.4.3ProtocolSpecication Inthissectionwedetailthespecicationoftheprotocol.Werstdescribetheregistrationphase,andafterwardstheprocessusedforsendingmessagesandrevocationareexplained. 3.4.3.1Registration Thefollowingisthedescriptionoftheregistrationphase. 1. Afterauthenticatingherself,Ufori=1,...,2prandomlychoosesri2Zn,andstringsi,i.Shethencalculatesui=ER(mjji)andvi=ER(IDjji).Afterwhichshesendsmi=reiH(uijjvi)(modN)tothesigner. 2. ThesignerthenchoosesasubsetSfrom1..2pofsizep,andsendsitasachallengetoU.ThiswillaskUtodemonstratethatmi'sarewell-formedwithhighprobability. 3. Foreveryi,Usendsri,ui,iasachallengeresponse. 4. Foreveryi,thesignerchecksifmiisequaltoreiH(uijjER(IDjji))(modN).Iftheycheck,beingconvincedthatallmi'sarewell-formed,hesendsbackb=(Qi=2Smi)1=e(modN). 3.4.3.2Sendingmessagesandrevocation Aftertheregistrationphase,theUcanstartsendingmessages,whichwillincludesignaturesthatthesystemwillverify.Inthissectionweexplainhowthisisaccomplishedandhowapossiblerevocationwouldwork. 37

PAGE 38

Thesignaturecanbeformedbys=b Qi=2Sri(modN)andthesetT=f(i,vi):i2Sg Thesignaturecanbeveriedbyse=Q(,v)2TH(ER(mjj)jjv)(modN). Giventhesignature(s,T),koutofnregistrarscanidentifytheuserbycalculatingIDfromthevi'sinT.SincethekeyforERaresharedbetweentheregistrars,itcannotbedecryptedwithoutatleastkofthem. 3.4.4TheMathInDetail Checkingthesignatureisperformedbyse=Q(,)2TH(ER(mjj)jjv)(modN).Toseewhythisworks,recallthats=b Qi=2Sri(modN),so se=b Qi=2Srie(modN)=be Qi=2Srie(modN)=be Qi=2Srei(modN)=)]TJ /F1 11.955 Tf 5.48 -9.69 Td[((Qi=2Smi)1=ee Qi=2Srei(modN)=Qi=2Smi Qi=2Srei(modN)=Qi=2SreiH(uijjER(IDjji)) Qi=2Srei(modN)=Yi=2SH(uijjER(IDjji))(modN)=Yi=2SH(ER(mjji)jjER(IDjji))(modN)=Y(,v)2TH(ER(mjji)jjvi)(modN) 3.4.5SecurityAnalysis Withanycryptographicprotocol,caremustbegiventosecurity,i.e.,thedesign(andimplementation)oftheprotocolneedstosatisfytherequirementsoftheprotocol.Inotherwords,thereshouldbenofeasiblewayofrecoveringanysecrets,evenifsomeof 38

PAGE 39

theparticipantscolludeagainstanotherparticipatingparty.Itisveryeasytooverlooksomepotentialweaknessesagainstcertainattackstotheprotocols,furthermoreprotocoldesignersmightnotbeconsideringallpossibleattackvectors. Toanalyzethesecurityofourprotocol,we[loosely]baseourmethodologyontheanalysiscarriedoutintheworkofDiazetal.[ 62 ].Theirworkcontainsmethodologies(ratherthananalysisofspecicprotocols)ofseveraltypesofanonymityprotocols.Webuildupontheirnalmodelforanonymousemailanalysis,whilemodifyingandextendingtheirworktotourproblem. Revokinganonymitywithoutkregistrars:Sincetheregistrarsreceivenoinformationduringtheregistrationphase,therevocationwillonlybeusingthepseudonym,themessageandthesignature.ThesignaturecontainsthetuplesetTcontaining(i,vi)alongwiths=b Qi=2Sri(modN).HoweversiscomputedwithouttheuseofID,hencetheonlyinformationtheregistrarshavetogettheIDarethetuplesetT,whereonlythevi'saresignicantfortheirpurpose.Iftheycandecryptevenjustoneofthesevi'stheywouldbeabletogettheID,howeverthe'sprevent(actingassalt)anytrial-and-errormethod,sotheproblemreducestodecipheringanyoneofthevi's.Thishoweverisassumedtobesecurebythesecretsharingprotocol,hencetheregistrarscannotidentifytheID.Thereforeweconcludethattheunderlyingsecretsharingprotocolensuresthatwithoutkoutofnregistrars,theywillnothavesucientinformationtondtherealidofauser. RevocationWithouttheApparentNeed:Thisisaproblemthatisnot(orcannotbe)solvedinourmodel.Itisassumedthatfewerthankoutofnregistrarswouldbecolluding,andsothisproblemreducesto`RevokingAnonymityWithoutkRegistrars'.Still,iftheabovementionedassumptioncannotbereasonablymade,theproposedprotocolwouldnotbeagoodt. SendingMessagesWithoutRegistering:Avalidmessageneedstohaveavalidpseudonym/signaturepair,soitisnotpossibletosendamessagewithoutregistering. 39

PAGE 40

Also,forgingthesignaturerequiresbreakingthepublickeyencryptionsystem.Notethatthepreventionofnon-validmessageswillbedoneontheimplementationlevel,wheretheywilljustbediscardedratherthanpostedbytheserver.Toseewhyforgeriesneedtobreakthepublickeysystem,notethatthesignaturewillneedtosatisfyse=Q(,v)2TH(ER(mjj)jjv)(modN).Evengiventheopportunitytochoseany(,v),theforgereitherneedstohaveaccesstothepublickeyoftheregistrar,orbreakthepublickeysystemtogettheER(mjj)part.Withoutthat,theonlyotherpossibilityisthattheforgercangeneratearequiredhashvaluebyadjustingoneofthevvalues,whichweassumedisnotpossiblebyourchoiceofsecurehashfunction.Soundertheseassumptions,thesignatureisnotforgeable. LinkingMessagestoUserswithoutRevocation:Withoutkoutofnregistrars,theywillhavethesameinformationastheunderlyingfairblindsignatureprotocolhas,sothesafetyofthisprotocolissatisedifitssafetyis.Anotherwayofseeinghowthisisnotpossibleisbyconsideringtheeasierattackof`havinglessthankregistrarscolludetorevokeanidentity'weanalyzed,whereweconcludedthatitisnotpossible.Anyattackerwillhavelessinformationthantheregistrars,sothisattackwouldbeatleastasdicult.Anotherpossibleweaknessisthecommunicationchannelhavingaleakwherebytheidentityofausercanbedetermined.Thiscanbepreventedbyusingsecurecommunications,whichisdelegatedtotheimplementationphaseandnotdiscussedindetailhere. LinkingMessagestoEachOther:Thisisofcoursepossibleaspartoftheprotocolbydesign.Howeverifauserhastwopseudonym's,linkingthosetwowouldonlybepossibleifthesameidentityisused,inwhichcasetheproblemreducesto`LinkingMessagestoUserswithoutRevocation'. SendingNon-authenticMessages:Thisrequiresthemessagestobesignedusingforgedsignatures.Sinceamalicioususerwouldonlyhavethepublickey,thesecurityofthesystemissafeaslongastheunderlyingpublickeyencryptionsystemissafe.Also, 40

PAGE 41

thisisbasicallyjustoneaspectweanalyzedinthesection`SendingMessagesWithoutRegistering'. TimingAttacks:Likemanycryptographicprotocols,thisprotocolissusceptibletotimingattacksaswell.Theregistrarscangatherusefulinformationonnewusersbyobservingmessagesfromanewpseudonym.Butcompletelysolvingthisproblemcannotbedoneonthedesignlevelandneedstobetakenintoaccountattheimplementation/deploymentlevel.Oneideathatcanbeusedistohavea[random]minimumtimeperiodbeforeanewusercanpostamessage,whichshouldgiveatleastsomeprotectionagainsttimingattacks. 3.4.6Improvement:AccessControl Supportingaccesscontrolinourproposedprotocolwouldbeusefulinsomesettings,sointhissectionwegiveaneasywayofaugmentingthesystemwithusergroupsandaccesscontrol.Theassumptionisthatthegroupsandassociateduserswillbeknown(andadministered)bytheregistrars,althoughmodifyingthesetuptohavetheusersset-uptheirowngroupsisalsostraightforward. 3.4.6.1Singletiered Duringregistration,eachusergetskeysKiforalltheusergroupsGihebelongsto.Noweachmessage(whichalsoincludesthepseudonymofthesenderforprivacy)senttotheboardwillbeencryptedusingthiskey.Thegroupinformationwillbeadded,sothatusersofthegroupwillknowwhichkeystouse. 3.4.6.2Multitiered Hereweexplainhowatwotieredsetupwouldwork,generalizingtomultipletiersisstraightforward.Theassumptionisthattherearetwolevelsofpermissions:theadminandusergroups. Atthebeginning,usingamasterkeygenerationalgorithm[ 53 ],onegenerateskeysKiforgroupsaswellasthemasterkeyK.Nowtheprocessisidenticaltothesingletieredprotocol,excepttheadmins(userswiththemasterkey)haveaccesstoallthegroups. 41

PAGE 42

3.4.6.3Problemwithnewgroups Ifnewgroupsarecreatedaftersomeusershavealreadyregistered,thereisnoeasywayforthoseuserstogainaccesswithoutanotherregistration.Tosolvethisproblem,amethodonecanapplyistohaveanotherpublicboardwherethenewkeysandpseudonyms(withaddedsalt)areencryptedwiththeuserspublickey.Regularlycheckingthisboardanddownloadingnewkeyswillbepossible,asonlytheusersthemselveshavetheirownprivatekeys.SincetheID'sarealsoencrypted,themappingsbetweenID'sandgroupswillstillbesecret. 3.4.7Applications CollaborationSystems.Therearecollaborationsystemswhereusersmightprefertoremainanonymous.Wiki'sareagoodexample,asusersmightbeinterestedinanonymity-especiallyforsomearticles.Alsohavingasinglemoderatorthatdecideswhatisacceptable/rightandwhatisnotisusuallynotdesirable,especiallysinceitiscontrarytothedemocraticspiritofwikis. MessageBoards/ChatRooms.Ourprotocolcanbeusedinplaceofanygeneralpurposemessageboard,wherebothauthenticationandprivacyareneededorpreferredandrevocationmightbeuseful.Thisusecanbeextendedtofunctionallysimilarapplicationslikechatroomsorinstantmessagingnetworks. PeerReview.Ourprotocolcanalsobeusedastheunderlyingprotocolforapeerreviewsystem.Hereauthenticationwillberequired(sothattherefereesarenecessarilyexperts),butanonymityisalsoneeded(whichisusuallythecaseinmostjournals/conferences).Revocationshouldnotbenecessary,butitsexistencemightbeuseful.Alternativelyrevocationcanbedoneafterwards,wheretheresultswillonlybeseenbytheeditorialcommittee-forexampleforevaluation/screening(ofthereviewers)purposes.Ingeneraltheprotocolcanbeusedeveninapplicationswhererevocationwillalwaysbedoneattheend,butwhereanonymityisimportantuntiltheend. 42

PAGE 43

MultiplayerGames.Inmultiplayergameswheretheidentityoftheplayerscanbeanunwantedadvantageordisadvantage,aprotocollikeourscanbeusedtohaveanonymousplayerswhoseidentitywillberevokedattheendofthegametoseewhothewinneris.Thisisalsoacasewheretherevocationdoesnotjusthappenincasearuleisbroken,butwhereitwillbedenitelyrevokedaspartofthescenario. 3.4.8Conclusion Inthischapterwepresentedamodelforapseudonymousmessage-boardsystemsupportingthresholdcontrolledanonymityandproposedaprotocolsatisfyingtherequirementsofthismodel.Webelieveithasseveralpracticalapplications,ofwhichwepresentedsome.Furthermoreitcanbeeasilydeveloped,deployedandextended.Wealsodemonstratedthesecurityofthesystembyenumeratingthepossibleattackvectorsandevaluatingtheprotocolsdefensesagainstthese. Ourprotocolgivesadetaileddescriptionofasophisticatedmessageboardapplication.Thismessageboardapplicationrequiresauthentication,whilealsoessentiallysupportinganonymity.Theprotocolwascarefullydesignedtosupportpseudonymswiththeideaofhelpingtheuserstohaveadistinctpresence(orreputation)whilenotgivinguponanonymity.Thisisthemajordierencebetweenourprotocolandotheranonymityprotocols,whichwebelievewillbeessentialinmanypracticaluses.Itisimperative,oratleastdesirableinsomecases,tohaveadistinctpresenceorsomeformofreputationinsomeapplications,forwhichwelistedseveralexamples.Webelievethattheseandvariousotherpossibleusesmakeourcontributionsignicant. Anotherdistinctionofourprotocolisthepossibilityofrevocation.Whileweadmitthattotalanonymityshouldusuallybepreferred,inseveralothercasessomelimitations(meaningpossiblerevocation)areimportantforthesecurityandhealthyfunctioningoftheprotocol.Howeveroneneedsawaytopreventarbitraryrevocations,whichourprotocolisdesignedtopreventusingathresholdscheme.Thisisnotonlyusefultopreventmalicioususersmisusingthesystem,butalsoinsomeapplicationswhere 43

PAGE 44

eventuallytheidentitywillneedtoberevealeditprovidesasecurityblanketpreventingtheauthoritiestogatherinformationabouttheusersprematurely. 44

PAGE 45

CHAPTER4ELECTRONICVOTING 4.1IntroductiontoElectronicVoting Cryptographybasedelectronicvotinghasbeenanactiveresearchareaformanyyears.Althoughseveraldierentprotocolshavebeendesigned,theyaremainlybasedononeofthreekeyideas:Mix-Nets[ 37 47 71 72 ],BlindSignatures[ 73 74 ],orHomomorphicEncryption[ 52 75 { 78 ].Theagreementamongresearchersisthattheseprotocolsshouldsatisfycertainpropertieslikeprivacy,accuracy,universalveriability,robustness,andcoercionresistance.Alsobeingconvenientforthevotersisalwaysconsideredtobeanimportantfactor. Recently,whentheincreasinguseofelectronicATM-likemachines{calledDRE's(\DirectRecordingElectronics"){inactualelectionswascriticizedforthelackofvoterverication,supportfor\paperreceipts"wereaddedtothekeyrequirementslist.AlltheseissuestookthecenterstageespeciallyaftertheelectiondebacleinFloridain2000,afterwhichtheCongresspassedthe`HelpAmericaVoteAct'(HAVA),alegislationattemptingtobringthevotingproceduresunderthefederalgovernmentspurview[ 79 ]andimprovetheguidelines,requirements,andthevotingprocesses.Severalcivilrightsgroups(VeriedVotingFoundation1isperhapsthebestknownexample)stilladvocatetheimportanceofvotervericationandithasbecomethefocalpointofvotingsystemresearchersandvotingdevicesuppliercompanies. Recentlytherehavebeenmanyprotocolproposalsforelectronicvotingsystemssupportingveriablereceipts[ 2 71 80 ].Althoughtheseprotocolshavestrongtheoreticalfoundations,currentlymostcompaniessupplyingDREsystemsprefertosolvetheveriablereceiptprobleminasimplisticwaybyhavingthevotingmachineprintoutanuntraceablevoteanddepositittothevotingboxafterthevoter'sexamination. 1http://www.veriedvotingfoundation.org 45

PAGE 46

However,theelectronicpartofthesesystemsareprobably{detailsareusuallylackingandthesystemsareproprietary{stilllackingstrongcryptographicprivacyandsecurity. Puttingasideeconomicalconsiderations,themainreasonforthisseemstobethesimplicityandeaseofuseofthesesystems.Easeofuseisalwaysanimportantconsiderationincomplicatedsoftwaresystemsforobviousreasons,butsimplicityinthiscontexthasalsoanimportantadditionaladvantage:peopletendtotrustsystemstheycanunderstand. Inlightoftheseissues,improvingthecurrentlyusedsystemsratherthantheprotocolsthataretheoreticallysounderbutareusuallynotemployedmightbemoreproductive.Tothisend,inthischapterweusemethodsthatareusedintheliteraturethatwouldimprovetheexistingpracticalsystems(Mercurimethod),withoutreducingthestrongerpropertiesofsaidsystemsandanalyzetheirsecuritypropertiesandassesstheimplicationsofhavingextrapaperballotsinadditiontoelectronicballots. Ourrstcontributionistocombinethetwopopular(althoughindierentcontexts)votingsystemparadigms,whilexingseveralproblemssomeprevioussystemshad.Perhapsourmaincontributionistheadditionofanauditingmechanismwhichmakesitpossibletosamplethepaperballotstocheckthecorrectnessoftheelectronicvotesandgiveanotherlayerofsecuritytothewholesystem,withoutweakeningtheprivacyandcoercion-resistanceofthesystem.Thisauditmechanismcanalsobeemployedinotherhomomorphicencryptionbasedsystemsthatalsoutilizepaperballots.Furthermorewegiveasecurityanalysisoftheproposedsystemthatwebelieveaddsanotherdimensiontotheusual,butinsomecasesinsucient,attackvs.defenseparadigm. 4.2SystemDesignPerspective Ratherthantryingtoimproveontheworkseeninacademia,thefocusofourresearchistobuildasystemascompleteaspossiblethatisbothpractical,readilyimplementablebytheindustry,andthattstherelatedcompanies,governmentagencies,andespeciallyvoters'needsandpreferences.Furthermore,itshouldalsousesthecuttingedgeresearch 46

PAGE 47

donebybothresearchersandcompanies,andtherebyhaveastrongtheoreticalframework.Anotherimportantpointishavinganextensivesecurityanalysis,whichisusuallymissinginmostacademicvotingprotocolproposals.Thefocusontheanalysiswillnotbeonlytoshowwhatsecuritypropertiesaresatised,butalsothepotentialriskofthepropertiesnotsatised,andthepossibletrade-osbetweentheseproperties.Theadditionalsecurityofthe(possiblyredundant)paperballotswillalsobeanotherconsideration. Toaccomplishthiswerstlistthebasicrequirementsandfundamentalprinciplesforvotingsystemsalongwithpreferableattributes.Sincemuchhasbeensaidabouttheseissuesbothintechnical[ 81 82 ]andnon-technicalpapers,ingovernmentandcorporatewhitepapers,andinthemedia,thispartwillalsoincludeanorganizedcompendiumofexistingideas. Afterthat,thepreferencesofalltheinvolvedparties(voters,governmentagencies,andcompanies)willbeexamined,andinlightofthesepreferencesthecurrentlymarketedsystemsaswellasacademicresearchwillbeevaluated.Usingexistingliteratureandoriginalresearch,anewsystem(orpossiblymany)thattsallthepartiesasmuchaspossiblewillbedesigned. Oneimportantissueistheassumptionsmadebyacademicresearchers(sometimesunknowingly),andtheirlackofpracticality.Asitiscommoninthesecurityeld,unfortunately,themostimportantandeasilycircumventedproblemsarenotaddressed,whiletheratherinessentialproblemsareexaminedinexcessivedetail.Addressingtheseproblemsandanalyzingthemisofkeyimportance. 4.3VotingSystemRequirements Astheelectronicvotingeldhasdeveloped,researchersstartedtoformasetofpropertiesthatanyprotocolshouldsatisfy.Althoughthedenitions(andevensomeoftherequirements)mightchangeslightlyfromauthortoauthor,hereisabasiclistthatmostexpertswouldagreeon: 47

PAGE 48

AccuracyorCorrectnessofavotingsystemindicatesthatallvotesarecountedcorrectly-theycannotbealtered,duplicated,orremoved[ 83 ]. ThePrivacyrequirementensuresthateachindividualvotewillbeonlyknowntothevoter.Thevotingmachineisusuallynotincludedforobviousreasons,althoughsomesystemsmanageeventohidethevotefromthevotingmachines. TheFairnesspropertyinsuresthatnopartycanlearntheoutcomeoftheelectionbeforetheballotsaretallied. Uniquenessensuresthatavotercannotvotemorethanonce. IndividualVeriabilitymeansthatthevotercanbeconvincedthathisvoteiscountedcorrectly,whileuniversalveriabilitymeansthatanypartycanconvinceitselfthattheelectionwasfair. ReceiptFreenessisrequiredtopreventcoercionsothatvotebuyingisprevented.Satisfyingthispropertyalongwith(theseeminglycontradictorypropertyof)veriabilityisthecentralchallengeindesigningavotingprotocol. Robustnessensuresthatthevotingprotocolcanrecoverfromvariouserrorsandattacks. Convenienceforthevotersisoftenregardedasanotherrequirement.Tosatisfythisrequirement,avotingsystemshouldnotrequireanyspecialgearandthevotingprocessshouldbeintuitivesothatvotersareabletovoteafterabasicdescriptionorasimpledemonstration. Notethatsomeoftheserequirements-likeconvenienceandrobustness-arenoteasytodeneorquantify,anditissometimesdiculttoassesshowmuchaprotocolsatisesthese.Furthermore,satisfyingeventhekeyrequirementslikeprivacyandaccuracy,canbediculttoprove,whichmakestheeldanespeciallychallengingone. 4.4PreviousWork Thestudyofelectronicvotingprotocolsisoneofthemostactivesubjectsinthecryptographicprotocolsarea.Earlierprotocolsfocusedonprivacyandvoterveriability[ 75 84 { 86 ].WiththeseminalpaperofCrameretal.[ 87 ]receipt-freenesswasintroducedasanimportantrequirement,andsoonafterseveralsolutionswerepublished[ 25 73 77 88 { 92 ]. 48

PAGE 49

BeginningwiththeuseofDRE's,andthepublic'sskepticismoftheircorrectness,paperreceipts(orVVPRs,i.e.,voterveriablepaperreceipts)aspartofindividualoruniversalveriabilitytookthecenterstageasakeyissue[ 47 52 78 ].Recentlymanytechnicalandnon-technicalpapershavediscussedthesecurityofcurrentlyusedvotingdevices,especiallytheuseofpaper-receipts[ 80 81 93 { 99 ]. AnotherdirectionwherevotingprotocolshavegoneoverthelastdecadeisInternetvoting[ 78 83 100 { 102 ],buttherequirementsandpropertiesofthesesystemsareusuallyconsiderablydierentthanthesystemsunderconsideration.Accompanyingtheresearchonelectronicvoting,therearealsoproposalsforvotingsystemsthatuseoldertechnology(likepunch-cards),whichhavesecurityandusabilitypropertiesnotmuchdierentfromelectronicvotingprotocols.Punchscan2andScantegrity[ 103 ],bothbasedonpunch-cardtechnology,aretwoexamplesofsuchsystems. 4.4.1BlindSignatureBasedProtocols Inblindsignaturebasedprotocols,themainideaistouseblindsignaturestogetthevotecertiedwithoutlettingthecertierseethechosencandidate.Afterthatstagethevoteisunblindedandsubmittedfortallying.Usingblindsignaturesmakessatisfyingprivacyrathereasy,howeverhavingatwo-stepprocessmakesithardertopreventcheatingandalsodegradesperformanceinlarge-scaleelections. ThepossibilityofusingblindsignaturestoimplementvotingprotocolswasrstmentionedbyChauminhisseminalpaperdescribingblindsignatures[ 31 104 ].TheworkofFujiokaetal.[ 74 ]isamongtherstproposedvotingprotocols,whichisalsotherstcompletevotingprotocolbasedonblindedsignatures.However,amongotherproblems,ithadaserioussecurityrisks:theelectionauthoritycouldsubmitvotesforabstainingvoters.ThisproblemwaslaterxedbyCranorandCytron[ 85 ].Sakoimprovedpreviousprotocolsbymakingitpossibleforthevoterstoobjecttothetally[ 105 ],and 2http://www.punchscan.org 49

PAGE 50

laterJuangandLeimanagedtoimprovethisideabymakingtheobjectionsanonymous[ 84 ].TheprotocolproposedbyChenetal.[ 100 ]doesnotrequireaspecialvotingchannelandcommunicationscanoccurentirelyoverthecurrentInternet.Okamatoproposedablind-signaturebasedprotocolsupportingreceipt-freeness[ 73 ].Juang,LeiandYuproposeamethodtomakeabstainingpossible[ 106 ],whileagainJuangandLeisuggestamethodtomakeblind-signaturebasedprotocolscollusion-free[ 107 ].Kimetal.combinedblind-signaturesandmix-netstoimplementapracticalsystemforInternetvotingbasedonapublickeyinfrastructure[ 108 ]. Amongtheseprotocol,Sensus[ 85 ]isarepresentativeprotocol,sowegiveadetaileddescriptionofitinthenextsection. 4.4.2Sensus Sensus[ 85 ]isavotingsystembasedonmodules,thekeyonesbeing:theregistrar,thepollster,thevalidator,andthetallier.Theregistrarisresponsibleforregisteringvotersbeforetheelection.Thepollsteractasagentstothevoters,andtheyhelpthevoterswithallcomputationalandinformationalfunctions,likecollectingvoter'sresponsesandobtainingvalidations.Aspollstersrequirecompletetrust,apersonalcopycanbeusedforInternetvoting.Thevalidatorchecksvoterregistrationandensuringthatnovotercastmorethanonevote.Thetallierisresponsibleforcollectingballotsandtallyingtheresults.Italsocheckstheauthenticityofthevalidation. Hereisadetaileddescriptionofallthetransactionsbetweenthesemodules: 1. TheregistrarsendsavoteridenticationnumberIDandasecrettokenTtoallregisteredvoters. 2. Eachvoter(orratherpollster)generatesapublic/privatekeypair(ie,id,in),andsendsthepublickey(ie,in)totheregistrar,alongwiththeiridenticationnumberIDandtokenTactingaspasswordauthenticatingthevoter.Theyalsogenerateaballotsealkeypair(se,sd). 3. Thevalidatorgetsthepairs(ID,ie)forthevalidatedvotersfromtheregistrar,andalsopublisheshispublickey(ve,vn). 4. Thetalliergeneratesapublic/privatekeypair,andpublishesthepublickey(te,tn). 50

PAGE 51

5. Whentheelectionstarts,thepollstergathersthechosencandidatefromthevoter,calculatestheblindedballotdigestb=mkve(modvn)andsubmits(b,ID,bid)sealedwithvetothevalidator. 6. Thevalidatoropensthesealusingvd,andchecksif(bid)ie=bandsignstheballotbysendingbackbvd,ifeverythingchecksout. 7. Thepollsteropensthesealwithid,unblindsbvdbycomputingmvd=bvd=k(modvn)andveriesif(mvd)ve. 8. Ifthevalidationchecksout,thepollstersends(mvd,Vse)sealedwithte,whereVisthevotedballot. 9. Thetallieropensthesealwithtd,veriesthedigestVse=(mvd)ve,signsVsebycalculating(Vse)td.Itthenupdatesthevoterlist(tomarkthatthisvotersballotwassigned)andassignsareceiptnumberRtothenewreceipt(Vse)td,whichhethensendstothepollsteralongwithR. 10. Thepollsterveries((Vse)td)te=Vseandsends(R,sd)tothetallier. 11. ThetallieropensVsewithsdandupdatesthetallyaccordingtothevotedcandidate.Italsomarksthevoteras\voted"inthevoterlist. Asaconcludingremark,notethatthisprotocolsatisesveriabilitybylettingthevoterverifythattheirvoteswerecountedcorrectly.Howeveritdoesnotsatisfyuniversalveriability,i.e.,anyinterestedpartycannotverifyifallvoteswerecountedcorrectly.Alsonotethatthisprotocolisnotreceipt-free,avotercanusetheblindedballot(byopeningtheballotusingthepublickeyofthetallierandsupplyingtheprivateballotkeyse)toprovehowhevoted. 4.4.3Mix-netBasedProtocols Theideabehindusingmix-netsinvotingprotocolsistomakesurethelinkbetweentheinitialencryptedballotsandthenaldecryptedballotsislost,andnosingleentitycanrecoverthelink.Thereasonthisisnecessaryisthattheinitialballotsarelinkabletousers,whichincidentallymakesvotervericationpossible.Thekeypropertyofanymix-netisforeachmixertoprovethattheirmixiscorrect,sothatnomaliciousmixercancorruptorchangethevoteswhilemixing. 51

PAGE 52

Chaum'sgroundbreakingpaperintroducingmix-netsandsuggestingseveralpracticaluses(untraceableemail,digitalpseudonyms,etc.)alsoincludedtheideaofusingthesameconstructforelectronicvoting.Severalresearchersbuiltontheseideas[ 109 { 111 ],whereSakoandKilian[ 111 ]introducedtherstreceipt-freevotingprotocolbasedonmix-nets.FurukawaandSakodesignedanecientmethodforprovingashue-themajoreciencybottleneckforamix-netbasedscheme[ 40 ].Somealternativeschemeswereproposedtoimplementamix-netforuseinvotingprotocols,withdierenteciency,securityandfunctionalitycharacteristics[ 39 112 113 ].JuelsandJakobssoncombinedcoercion-resistancewithuniversalveriability[ 114 ],whileLeeetal.provideamethodthatcanbeusedinmostmix-netbasedvotingprotocolstosupportreceipt-freeness[ 89 ].Recentworkinelectronicvotingkeepsusingmix-nets[ 71 72 ],sometimesincombinationwithhomomorphicencryptionbasedprotocols[ 52 115 ]. Inthenextsectionwegiveashortdescriptionofamix-netbasedvotingprotocol,Pr^etaVoter,whichintroducedseveralnovelideas.Foramoredetaileddescription,seeSection 5.2.2 4.4.4Pr^etaVoter In2004,Chaumproposedoneoftherstvoter-veriableandcoercion-freeelectionprotocolsbasedonvisualcryptography(Votegrity)andmix-netstobeusedwithDREmachines[ 116 ].Thevoterveriablereceiptsarebasedonimages,whichwasonereasonfortheprotocol'squestionablepracticality.Later,Chaum,Ryan,andSchneiderproposedanewversionofthisprotocol[ 71 ],whichisbasedonadierentidea,althoughtheunderlyingmechanicsareverysimilartotheimage-basedprotocol.Chaum'sprotocolusespaperballotformsgeneratedanddistributedinadvance.Teeballotshavetwoseparableparts.Onewhichliststhecandidatesinarandomorderandtheothercontainingbothacolumnforthevotertomarkhischoiceandthe\onion",whichineectisanencryptedindexfortherandomorderofcandidatestherebymakingitpossibletoconstructtheorderinglateron.Thiswayprivacyandsecrecyisachieved.Thepartwiththecandidate 52

PAGE 53

listwillbedestroyedbythevoter(toforestallcoercion,bypreventingthevoterfromprovinghowhevoted)beforefeedingtheotherparttothevotingdevice,therebypreventingthevotingdevicefromeverlearningthevoter'schoice,becausetheorderoftheactualcandidatelistisencrypted.Aspecialtypeofmixmakesitpossibletodecryptthevote,withoutleavingalinktothereceipt,hencemakingtheprotocolcoercion-free.Sincethevotingdevicesneverlearnthevote,ensuringprivacyandpreventingthevotingmachinefrommaliciouslychangingthevotesisgreatlysimplied.Thedrawbackofthisapproachistheneedtoverifytheauthenticityandcorrectnessoftheballots.Italsodoesnotsupportwrite-invotes. InSection 5.2.2 wegiveamoredetaileddescriptionof\Pr^etaVoter",asourworkinthenextchapterisbasedonthisprotocol. 4.4.5HomomorphicEncryptionBasedProtocols Theuseofhomomorphicencryptionmakesitpossibletoaddallencryptedballots{withoutdecryptingthem{andthendecryptingtheresulttogetthetally,thesametallyonewouldgetwithrstdecryptingandthenaddingthevotes.ThisispossiblebecauseinahomomorphicencryptionsystemtheidentityE(A+B)=E(A)+E(B)holds.Thismethodhandlesmostoftheproblemsassociatedwithprivacy,becausethevotesareneverindividuallydecrypted.Italsoreducesoverhead,ascomparedtotheothertypesofprotocolsitrequiresneitherblindingnornecessarilymixing.Votervericationisalsoeasy,sincelikemixnetsthereisnoinherentharmintheencryptedvotesbeinglinkedtovoters.Havingmultipleauthoritiesandusingthresholdschemestodecryptthetally(asisusuallythecase)alsomakessuretheauthoritiescannotmisusetheirpower.However,thesetypesofprotocolshavealsotheirlimits.Forexamplewrite-inballotsareveryhardtosupportduetothenatureofthetallyingprocess. TheconceptofusinghomomorphicencryptionwasintroducedbyJoshBenaloh[ 75 117 ]whoalsoenhancedthemethodbymakingitharderfortheauthoritiestoseeeachindividual'svote[ 118 ].SakoandKillianstartedtheworkonmakingthehomomorphic 53

PAGE 54

encryptionbasedschemesmoreecientthanmix-netbasedschemes[ 119 ],andsoonCramer[ 76 87 ]designedaveryecienthomomorphicencryptionscheme,consideredtherstpracticalsuchprotocol.Baudronetal.furtherimprovedtheeciencyoftheirscheme[ 25 ].TheworkofFouqueetal.andDamgardetal.[ 26 28 ]introducedtheuseofthePaillier[ 18 120 ]cryptosystemtoimproveuponpreviousworkbyincreasingeciencyandmakingmulti-candidateelectionspossible.Hirt[ 77 ]combinedtheprotocolsfromSakoandKillian[ 111 ]andCramer[ 76 ]usingthedesignated-verierproofsofJakobsson[ 121 ]togetanecientandreceipt-freeprotocol,whichstartingearlyinthe2000'swasconsideredarequirementandthefocusofmostworksonthesubject[ 88 91 92 ].Grothshowedhowtouseanecientmix-nettoimproveahomomorphicencryptionbasedscheme[ 115 ].Acquistifocusedonimplementingwrite-inballotsinreceipt-freevotingprotocols[ 78 ]. Thefollowingsectiongivesadescriptionofarepresentativehomomorphicencryptionbasedvotingsystemwithanovelapproachtosupportwrite-inballots.Itdoesnotsupportreceipt-freenesshowever,aproblemwestudyinthenextchapter. 4.4.6TheVector-ballotE-votingApproach ProposedbyKiayiasandYung[ 52 ],themainnewideainthisprotocolisthesupportofwrite-invotes.Tothisendtheauthorsproposeacompositeballot,thesocalled`vectorballot'.Astheexternalrepresentationshouldbeindistinguishablewhicheverpartisusedforavote,awaytoinsureballotvalidityandregularityisrequired.Thisissolvedusing`provablyconsistentvectorballotencodings.'Thetwodierenttypeofvoteswillbetallieddierently,theregularvotesusinghomomorphicencryption(thereforeeciently),andthewrite-invotesbymixnets.Anotherimprovementfrompreviousprotocolsisthenaltallytime,whichisreducedfromO(nc)toO(cn),wherenisthenumberofvotersandcisthenumberofcandidates. Inthisprotocol,eachballothasthreecomponents(hencethetermvector-ballot).Therstparthasapossibleselectionforapre-determinedcandidate.Thesecondpartisaagindicatingwhetherthecandidateforwhomthevotewascastisapre-determined 54

PAGE 55

candidateorawrite-incandidate.Thethirdpartconsistsofthewrite-in.Thepre-determinedportionaretalliedusinghomomorphicencryption,whilethewrite-inpartsaretalliedusingmixnets.Thefourmajorstepsintheprotocolaredescribednext. Setup:ThesauthoritiesA1,...,Assubmittheirpublickeystothebulletinboard.Thesecretkeyissharedbetweentheseauthorities. Casting:Aftergettingauthorized,eachvotercaststheirvote.Eachvoteiseitherforapre-determinedcandidatefromthesetf1,M,M2,...,Mc)]TJ /F4 7.97 Tf 6.59 0 Td[(1g,whereMisanintegerlargerthanthenumberofpossiblevoters,inwhichcasethesecondandthirdpartsoftheballotwillbeencryptionsof0.Ortherstpartisanencryptionfor0,thesecondpartisanencryptionfor1,andthethirdpartanencryptionforthewrite-invote.Thisbasicallymakesthemiddlepartaagindicatingifthecastvoteisforapre-determinedcandidateorwrite-in.SeeSection 2.7.2 fortheproofofconsistencythatonlyonevoteiscast,and[ 52 ]forfurtherdetails. Tallying:Aftersplittingtheballotsintoitsparts,tallyingtherstpartworksliketheotherhomomorphicencryptionbasedschemes,i.e.,theywillallbeaddedandattheenddecryptedtoextracttheresultingtally.Thetallyingofthewrite-invotesisdoneusingamethodcalledshrink-and-mix.Themainideainusingthismethodisthatgivenanykballots,onecancheckifthereareanywrite-invoteswithoutdecryptingtheballots.Thiscanbeaccomplishedbyjustdecryptingthesecondpartsoftheballots.Themethodusesthisfacttorandomlyselectsomeballotsandeliminatethemiftheycontainnowrite-invotes.Repeatingthisprocessmanytimesineectwilldecreasethenumberofballots,henceincreasingeciency,eventhoughnotallnon-write-inballotswillbeeliminated.Theremainingballotswillthenbesubmittedtoamixnet,whichwillactasananonymizermakingsurethelinkbetweentheinitialballotsandnalballotsarelost.Finallythewrite-inballotswillbeopenedandaddedtothetally. Detailsoftheshrinkphase:LetVf1,2,...,ngbetheballotswhichhaveapredeterminedcandidateselected,andV0betheballotswithawrite-incandidate.The 55

PAGE 56

aimofthisphaseistogetanewsetV,suchthatV0Vf1,2,...,ng.Theauthoritiesnowcalculatethenumberofwrite-inballotsh.Theythendividetheballotsintobatchesofbballotseach,wherebisaparameterrelatedtothedesirednalratioofpredeterminedvotesoverwrite-invotes.Foreachbatch,ifitdoesnotcontainawrite-incandidate,alltheballotsinthatbatchareremovedfromV0.AftertherststeptheexpectedsizeofVwillben)]TJ /F1 11.955 Tf 12.67 0 Td[(n(1)]TJ /F4 7.97 Tf 13.86 4.7 Td[(h n)b.Notethattocheckifthebatchcontainsawrite-invote,theauthoritiescanaddallthe`ag'partsandgetthesumoftheseusingthehomomorphicencryptionproperty.Recallthatthisagiszeroifapredeterminedcandidateischosenandoneifawrite-incandidateischosen.Sothissumwillbezeroonlyifnoneoftheballotsusedawrite-incandidate.Thissamemethodwillalsobeusedtogetthenumberofwrite-invotescastthatwillbeusedincalculatinghaspreviouslystated. Detailsofthemixphase:Accordingtotheauthors,themixphasecanuseanyofthepublishedrobustmixtechniques.Themoststraightforwardoneisgivenasre-encryptingthesequenceandpermutingitrandomlyandthengivingazeroknowledgeproof. Thepaperalsogivesanalternativewayofformingtheballot,whichismoreecientforlargenumberofvotersandcandidates.Theideaistousecpartsforthepre-determinedcandidates,ratherthanone.Thisdecreasestherequiredcapacityconsiderably. 4.4.7MercuriMethod Theso-calledMercuriMethod[ 2 ]isasimplebuteectiveconcept,implementedinslightlydierentways(possiblywithvariousimprovements/changes)bysomecompanies.Theideaisthatapartfromthesimple`selectyourcandidateonthecomputerscreen'processfollowedbytheresultsbeingsenttoacentralserverorstoredlocally,whichmightbelackingeventhemostbasicsecuritypropertiesthatsomeproposedprotocolssatisfy,apaperballotofthesaidcandidateisalsoprinted.Afterthevoter'sinspectionandconrmation,itisdroppedintotheballotboxtowhichthevoterhasnoseparate 56

PAGE 57

access.Thispaperballot,whichlookssimilartoaconventionalpaperballot,isstoredforapossiblerecount.Inaway,thesystemtriestoimprovecorrectnessbyensuringthecorrectnessofthebackupvote. 4.4.8MajorIssuesWithSystemsBasedontheMercuriMethod TherearesomepotentialproblemswhenonedecidestousetheMercurimethod.SomeoftheseissuesareuniquetoprotocolsbasedontheMercurimethod,whileothersarecommonproblemstomostelectronicvotingprotocols,thattheMercurimethodbyitselfdoesnotaddress.Whilenoneoftheseissuesarestrictlyunsolvable,somearemorediculttohandlethanothers,eitherintrinsicallyorbecausetryingtosolvethemusuallycauseotherproblems.Themajorissuesareasfollows: Consistency:WhenusingtheMercurimethod,thereareactuallytwoseparatevotescast.Ofcoursethesystemdescriptionswillnecessarilyindicatethatthosetwovoteswillalwaysbethesame,howeverbothdesigningandimplementingthisrequirementandconvincingthepublicthatthiswillalwaysbethecaseisaproblemthatneedstobeaddressed.Thelikelihoodofthisproblemmanifestingitselfiscloselyrelatedtothelawsandrulesoftheelection.Sincevoterswillhavevisuallyreviewedthepaperballots,thosewillbethetrustworthyones.Butifthesepaperballotsareonlytobeusedonpossiblerecounts,theirpositiveeecttothereliabilityoftheelectionwillbediminished,especiallyindistrictswheregettingarulingforarecountisrelativelydicult.Thisproblemcantriviallybesolvedbyhavingthepaperballotsbeassignedtheroleoftherealvotes-ratherthanjustabackup.Howeverinthatcasetheelectronictallywillactmerelyasanunocialexitpoll-albeitonewithaveryhighaccuracy.Thishoweverreducestheusefulnessofanelectronicvotingscheme,solookingforabetteralternativeisinevitable.Onealternativeistoensurecorrectnessseparately,forexamplebyusingcryptographictechniquessimilartooneswithoutpaperballots.Anotherdirectionistoreducethepotentialinconsistencybetweentheelectronicandthepaperballot,forinstancebyhavingatableofallthepaperballotvotesindexedbytheirid's,andthenrandomlychecka 57

PAGE 58

predeterminedamountoftheballotstherebytestingifaninconsistencyhasoccurredwithacalculableprobability.Thisofcoursewillneedtobedesignedcarefully,astheid'smightbeusedforcoercionbylinkingthepaperandelectronicballots.Thisisthedirectionwearetakinginourprotocol. CoercionResistance:Thisproblemmightpresentitselfifitispossibletouseapictureofthepaperballotasaproof.Italldependsonwhatthesystemdoesifattheconrmation(ofthepaperballotphase)thevoterwantstochangehisvote(eitherbecausetherewasanerror,orbecauseofthevoterchanginghismind).Ifthisprocessiseasilyrecognizablebyanoutsider,thepictureoftheballotatthenalconrmationphasecanbeusedforvotebuying.Asthisproblemcanonlybesolvedattheimplementationphase{ordiminishedusingeectiveelectionprocedures{wewillnotgointoanydetails. Privacy:Unliketraditionalvoting,anyelectronicsystemthatreliesontheDREtorecord/submitthevotehastoconsiderprivacyissuescarefully.Chaum'sprotocol[ 71 ]circumventsthisproblembynotdisclosingthevotetotheDRE,butalmostallotherpublishedsystemsareatleastsomewhatsusceptibletovoterecordingandmatchingthemwithvoters. Therearesomesimpleprocedurestoreducethepossibilityofthisbydesigningthevotingprocedurescarefully.Incasetherearemultiplebooths(whichisthecaseinmostdistricts),ifthepubliccannotseewhichvotergoesintowhichbooth,theprobabilityofasuccessfulmatchingofvotesandvotersdiminishesradically.EvenifallDRE'saremalicious,acondentmatchmightbetoohard.OfcoursethisalsodependsonhowthevoteractuallypresentshimselfasaqualiedvotertotheDRE,i.e.,iftheauthenticationorauthorizationusedattheDREcanbelinkedtothevotersidentity. Somewaysthatprivateinformationcanbesavedandlateronretrievedare:byusingtheavailablestorageandthenmakenetworkconnections,byusingbackdoors,subliminalchannels(hidingthestoleninformationinsideregulartransmissions,encodedusingtechniquessimilartotheonesusedinsteganography),orsimilartechniques. 58

PAGE 59

4.4.9OtherProtocols Blindsignatures,homomorphicencryptionandmixnetbasedprotocolsarethethreemaintypesofdesignchoices,howevertherearealsosomeprotocolsthatcannotbeclassiedasanyofthesetypes.Theseusuallyhavesomeradicallydierentdesign.Herewepresentsomeofthembrieyhere. 4.4.9.1Threeballot TheThreeBallotvotingsystem[ 122 ]isaprotocolrecentlyproposedbyRonaldRivest.Itsnovelpropertyisthatitdoesnotusecryptographictoolstoachievemostoftheusualpropertiesthatareaimedinvotingprotocols.Howeverithassomelimitations,particularlythesecurityissue(avotebuyingattack)notedbytheauthor. Thesystemisbasedonpunchcardsorsimilartechnology.Theideaistohavethreeseparateballots,onerowforeachcandidate-whicharealigned.Tovoteforacandidateonemarkstwoofthecolumns,andtovoteagainstacandidateonemarksonlyonecolumn.Allrowsmusthaveexactlyoneortwocolumnsmarked. Afterthevotermarkshischoice,theballotisfedtoachecker,whichalsoputsaredstripeonthechosencandidate.Thethreepartsoftheballotsareallused(separately)tocastavote.Thevoteralsogetshischoiceofballot(oneofthethree)reprintedasareceipt-whichcanbeusedforverication. Attheendoftheelectionallvoteswillbepostedinplaintextformattothebulletinboard.Sinceeachchosencandidatewillgettwovotesandallothersonlyone,subtractingthenumberofvotersfromallthecandidateswillgivetheresultoftheelection. Theaforementionedvotebuyingattackworksthus:Thecoercertellsthevotertomarktheballotinaspeciedpattern.Thiswayevenifthereceipthastherequiredpattern,ifthecoercercannotseetheothertwopatternsinthepublicboard,hewillknowthatthevoterdidnotvoteaccordingtoplan. 59

PAGE 60

4.4.9.2Punchscan AnotherelectionprotocolthatusessimilarideasisPunchscan[ 123 124 ].ThenovelapproachofthisprotocolisthatitdoesnotneedaDREforeachpollingbooth,astheballotsarecastbythevoterinaboothonpaper,whicharescannedoutsidetheboothbyelectionauthoritiespublicly,whilestillprotectingprivacy.Integrationofwrite-invotestotheprotocolisalsopossible[ 125 ]. PunchscanisavotingsysteminventedbyDavidChaumandlaterdevelopedbyUniversityofMarylandandGeorgetownUniversityresearchers.LiketheThreeBallot[ 122 ]system,itisbasedonpunch-cardtechnology,however,unlikeThreeBallot,itusescryptographictechniques.Inaway,itisatransformedversionofChaum'svisualcryptographyprotocol. 4.4.10PossibleReasonsforNotAdoptingAdvancedCryptographicSchemes Althoughsomecommercialsystemsexhibitsignsofadvancedcryptographictoolsintheirdesign,mostsystemsseemtolacksimilardevices.Herewetrytoenumeratethepossiblereasonsforthis. Practicality.Advancedcryptographicschemesnecessitatessettingupacomplicatedanddistributedmix-net.(Mostmoderncryptographicvotingprotocolsusemixnetforsomereasonorother.)Thesearegenerallyusedtoshuetheballotssothatanylinksbetweentheresultingvotesandthevotersarelost.Thequestionablepartofthismethodisthat(unlesstheDREdoesnotknowthevoteitself{likeinChaum'sprotocol),itisstillverydiculttoprotecttheprivacyiftheDREitselfiscompromised.Inshort,thesemethodsarenotstrengtheningtheweakestlink,noraretheyprotectingthemostimportantpropertyofasuccessfulelection:itscorrectness. EaseofUse.Theusualcut-andpasteschemesorChaum'suseofencryptedballotsusuallyresultinrathercomplicatedinterfaces,oratleasttheymakeitverydiculttodesignclearandeasytouseones.Thisiscontrarytooneofthemainideasofusingelectronicsystems,whichistosimplifytheprocessforthevoters. 60

PAGE 61

Trust.Withtrustwemeanthebeliefthatpaperballotsaresucientasverication.Peopletrustthevalidityofaballottheycanunderstand,morethanatechnicallysoundcryptographicreceiptwhichhasconfusingnumbers/lettersonit.Itisimportantnotonlytohaveasecureelection,butalsotohaveanelectionwhichpeoplebelievetobesecure. Itisourviewthatunlesssome(orrathermost)oftheseissuesarenotresolved,thecommercialsystemwillfavorsystemsthatarelessadvancedyetsatisfactorilyhandletheaforementionedproblems.Thereisboundtobeatrade-obetween,say,easeofuseandsecurity,howeverhavingatleastanadequatesolutiontobothsidesshouldbepossible. 4.5OurContribution:Homomorphic-MercuriHybridVotingSystem Ourproposedprotocolisacombinationofclassichomomorphicencryptionschemes,andtheMercurimethod.UnlikethePr^etaVoterprotocol,thevotingdevicewillknowthechosencandidate,buttopreventcheatingthecut-and-pastemethod(whichwillbeexplainedlater)willbeused.Ontheotherhand,becauseoffullyusingthevotingdevicetoenterthevotetherewillnotbeaneedforpaperballots.However,inpracticeanadditionalburden(fortothevoter)wouldbetheneedtoselectthepreferredcandidatefromagrid(stemmingfromthecut-and-chosemethod).Thismightbeconfusingforsomeusers,butevenverysimpleinitialinstructionsshouldmakeiteasytousefortheaveragevoter.Theadvantagewouldbetheextracertaintythattheelectronicvotecountedasintended. Inbasicterms,thewayourauditmechanismworksisbylinkingthepaperandelectronicballotscryptographically.Thiswillbedoneusingthere-encryptionpropertyofPaillier.Oncetheauditsampleisselected,thevotingdevicewillneedtopublishtheoriginalencryptedvotesoftheselectedpaper-ballots.Itwillalsoprovethatthesetwosetsareinfactthesamesetofballots.Theauditorsthenwillcheckallthetallies,andcomparethemtomakesurethatthetalliesoftheoriginalencryptions,there-encryptionsandthepaper-ballotsareallequal. 61

PAGE 62

ApartfromcombiningtheMercurimethodwithahomomorphicencryptionbasedprotocol,inthenextchapterwealsodemonstrateagenericmethodforsupportingwrite-inballots. 4.5.1ProtocolSpecication Inthissectionwegiveadetailedspecicationofourprotocol.Wedescribetheparticipants,thevotingandtallyingstages,andtheauditingprocess. 4.5.1.1Participants Theentitiesthatareinvolvedintheprotocolareasfollows.Figure 4-1 showsagraphicalrepresentation. Authority:TheauthorityAwillberesponsibleforcalculatingandannouncingthenaltally. VotingDevice:TheVotingDeviceVDgetsthevotesfromthevotersandsubmitsthemtothebulletinboardBB.VDusesacomputerscreenStodisplayinformation(D)tothevoter.Italsousesaprintertoprintareceipt(R)forthatpurpose.ThedierenceoftheseisthefactthatDwillremainsecretbetweenthevoterandthevotingdevice,whereasRwillbetakenoutsidetheboothbythevoter.Finallyitwillalsoprintthepaperballotanddeposititintotheballotbox.Notethedierencebetweenthepaperballotandthepaperreceipt:ThepaperballotwillnotbeaccessiblebyV. Voter:TheVoterVusesVDtosubmitavoteforhisselectedcandidate. BulletinBoard:TheBulletinBoardBBiswheretheVDsubmitsthevotes.Itispubliclyreadable,andwrite-onlyfortheVD.Awillreadthevotesfromhere.NotethatallcommunicationwiththeBBwillbesignedwiththesendersprivatekey. Coercer:TheCoercerCisahypotheticalparticipant.Hecanbeanyoftheotherparticipantsorbeincollusionwithone. Itisassumedthattheauthoritieshavegeneratedtheirencryptionkeys,thebulletinboardisset-upandthatthevotersareregisteredandreadytoauthenticatethemselvesrightbeforetheyvote. 62

PAGE 63

Figure4-1. Participantsofthevotingprotocol 4.5.1.2Voting Thisphaseoccursinsidethevotingbooth,soitisassumedthatthereisaprivateandsecurechannelbetweenVandVD.TheonlyinformationthatwillberevealedtoanoutsidepartyisthevotesubmittedtotheBBbyVD,andthereceiptRprintedbyVD. 1. VDdisplaysandmatrix(seeFigure 4-2 ),wheredisasecurityparameter(wherealargedincreasessecuritybutmightlowerusability),andn)]TJ /F1 11.955 Tf 12.82 0 Td[(1isthenumberofcandidates(whereabstainingisconsideredthenthcandidate).Eachrowinthismatrixconsistofthesecandidatesinarandomorder.Beforesubmittingthevote,ifthevoterrequests,VDgeneratesanothergridwiththesameproperties.Thispreventsaforced-abstentionattack[ 114 ]{i.e.,preventstheCoercertoaskthevotertovoteforaspecicrowandcolumntherebyeectivelyrandomizinghisvote.Notethatthisattackwasnotmentionedin[ 126 ]. 63

PAGE 64

Figure4-2. Candidateselectionscreen 2. VDnowgeneratesrandomnumbersrndandprintscommitmentsc(x,y)(Section 4.5.1.4 )foreachcellinthematrix,toensurethattheVDcannotchangethecontentofacellinthecandidatematrix.ThesecommitmentsessentiallyfollowthesamelinesasForsythe'sprotocol[ 126 ],andinsurewithd)]TJ /F4 7.97 Tf 6.59 0 Td[(1 dprobabilitythatthevotewillbecastasintended(orratherd)]TJ /F4 7.97 Tf 6.59 0 Td[(1 dprobabilitythatthecheatingVDwillbedetected.)ThesecommitmentsarealsosenttoBB,wheretheywillbepubliclyveriable. 3. Vrstrandomlyselectsarow,andthensubmitshischosenrowandcolumn(andtherebycandidate).VDprintsthepaperballot,andaddsarandomizedre-encryptionofthesamevotebymultiplyingc(x,y)withanewrandomnumberr0x,y.Thisre-encryptionwillbeusedforauditingpurposes.VDthenwaitsforaconrmation.Vinspectsthepaperballot,andiftheballotshowshischosencandidateconrmsthe 64

PAGE 65

ballots.AftertheconrmationfromV,VDdepositsthepaperballotintotheballotbox. 4. VDthenopensthecommitments(Section 4.5.1.4 )forunchosenrowsbyprintingtherandomorderofthecandidatesalongwiththerandomnumbersusedforthecommitment(andencryption)onthepaperreceipt.Italsoprintsthelocationoftheselectedcell(therowandcolumnnumbers),butnotthenameofthecandidateinthatcell.VDnallyaddsasignatureofthecontentofthereceiptattheendofthereceipt,toinsuretheauthenticityofthereceipt.ThesamedataisalsosenttoBB. 5. Finally,VDsendstheencryptedvotec(x,y)forthechosencell(x,y)totheBBfortallyingpurposes.Atthisstage,VDalsosubmitsaproofofwell-formednessofthevote,byprovingthattheencryptionisforastringinthesetofcvalidvotesusingazero-knowledgeproof(thisstepisalsonotincludedin[ 126 ]).SeeSection 2.7.1 forthedetailsofthisprocess.Nowthec(x,y)canbecomparedtothereceiptontheBBandcheckedforwell-formedness,socheatingatthisstepisnotpossible. 6. Attheendofthevotingsession,VDsendsthelistofthere-encryptedvotestotheBB.Italsoaddsazero-knowledgeproofthatshowsthesumofthesevotesandthesumoftheprimaryvotesareequal,i.e.,theproductofbothsetsofencryptionsareequal.ThedetailsforthisisgiveninSection 4.5.1.5 4.5.1.3Samplevotingwalk-through Hereisasamplewalk-throughforanelectionwiththreecandidates:A,B,C,andwithsecurityparameterd=3.Weomitanypossibleabstainingvotes. 1. Table 4-1 showsasampleballotgeneratedbytheDRE: Table4-1. Sampleballot A C BC A BB A C 2. Foreachcell,theDREcalculatesc(x,y),asdetailedinSection 4.5.1.4 .Thesecommitmentsarethenprintedontherstpartofthereceipt. 3. Thevoternowselectsarandomrow,thesecondrowforexample,andonthatrowselectshiscandidate,A.Ontheselectedrow,thecandidatehappenstobeinthesecondcolumn,sothechosencandidateisoncell(2,2). 4. TheVDopensthecommitmentsoftheremainingrows.Thisisdonebyprintingthesalt(randomnumbersri,j)usedfortheencryptiononthesecondpartofthereceipt.Fortheselectedrow,ratherthanprintingtherandomnumbersri,j,itprints\2", 65

PAGE 66

representingthesecondcolumnofthechosenrow.Nosaltisprintedforthisrow,asthatwouldmakeitpossibletoopentheencryptedvote.Table 4-2 showshowthesamplereceipt(withbothpartoneandparttwoprinted)wouldlooklike. Table4-2. Samplereceipt c(1,1)c(1,2)c(1,3) c(2,1)c(2,2)c(2,3) c(3,1)c(3,2)c(3,3) A,1A0C782BC,23498DF2B,9823B08A rstrowcandidateorderandr1,i2 selectedcandidateB,B3296A92A,87C98A9FC,98F89DC1 thirdrowcandidateorderandr3,i 5. TheVDnowprintsthepaperballotandwaitsforthevoter'sinspection.Thevoterchecksifeverythingiscorrect,(bothonthereceiptandonthepaperballot),andgivesthenalconrmation.Hetakesthereceipt,makessurethepaperballotisdepositedintotheballotbox,andleavesthebooth. 6. Outsidethevotingboothoraftergettinghome,thevotercanusethereceipttocheckifthesubmissiontotheBBiscorrect.Thisisdonebycomparingtheprintedvaluestotheonessubmittedandbycheckingthatthecorrectrowandcolumnofthecandidatetableisspecied,thusmakingsurethathiselectronicvotewassubmittedandwillbecountedcorrectly.Thevoter(oranybody)canalsocheckifthecommitmentsareinfactopenedcorrectly,whichwillpersuadehimthathisvotewassubmittedcorrectly. 4.5.1.4Detailsofthecommitmentsandencryptions TheprotocolusesPaillierencryptionforthevotesandcommitments.Letn=pqandg2Zn2withordernforsomenon-zero.Lettherebekcandidatesandatmosthvoters.Weassigntoeachcandidateanumber0i
PAGE 67

4.5.1.5Proofofequalityofproductofsubmittedvotesandproductofrandomizedvotes VDusesthisschemetoprovethattherandomizedvotesaddedtothepaperballotssumtothesametallyastheonessubmittedtotheBBastheprimaryvotes.Thisisneededfortheauditmechanism(explainedlater)towork.Thezero-knowledgeproofpresentedhereisanon-interactiveversion(constructedusingtheFiat-Shamirheuristic[ 49 ])oftheproofgivenbyBaudronetal.[ 25 ].Weassumethatthevotessumtom.VDpicksarandomrandarandoms2Znandcomputesu=grsn(modn2).HethencalculatesH(u),whereHisasecureone-wayhashfunction.Hethencomputesz=r+meandv=sre(modN).(u,v)thenconstituteazero-knowledgeproof,andthiscanbecheckedbygzvN=uce(modN2). 4.5.1.6Tallying OncealltheballotsarecastandsubmittedtotheBB,Awilltakethepre-listedcandidatepartandaddalltheencryptedballotsanddecrypttheresult-addingproofsofcorrectnessofthedecryptions(detailsgiveninSection 4.5.1.7 ),therebygettingthenalcount.Notethatthisisdierentthantheusualhomomorphicencryptionbasedvotingscheme,whereusuallythereisamixingphase.Thereasonforthemixingphaseissothatnosingleauthoritycanreconstructthelinkbetweentheencryptedanddecryptedballots.Butinourcasethatwouldnotaccomplishanything,astheVDalreadyknowstheballots.Additionally,thepaperballotswillalsohaveallthevotes,andcanbeusedforapossiblerecount. 4.5.1.7Proofofcorrectnessofthedecryptions Awilltakeallvotesci=gmirni(modn2)andaddthemallbycalculatingc=gmi(ri)n(modn2).ThisisdecryptedtoR,andazero-knowledgeproofisadded,usingthesetmembershipproofgiveninSection 2.7 .Togetthenumberofvotesforcandidatei,wejustcalculate(R=hi)(modh),where`='representsintegerdivision-asRisjustak-arynumber,K=mk)]TJ /F4 7.97 Tf 6.58 0 Td[(1,...,m0. 67

PAGE 68

4.5.1.8Auditing Ourprotocolresultsinbothapaperandelectronicballot,wherethepapersballotsare(atleastintheory)assumedtobeforrecountsonly,andtheelectronicvotesareconsideredtheprimaryballots.Buthavingthepaperballotsonlyforrecountswouldnotbeanecientwayofusingalltheadditionaloverheadintroducedbythem.Anotherusefulwaytheseballotscanbeusedareforauditorypurposes.Unfortunately,justhavingthepaperandtheelectronicballotslinkedinastraightforwardmannerisdangeroustotheprivacyofthevoters,astheelectronicvoteitself(inencryptedform)isalreadylinkedwiththevoter.Sincetheunencryptedvotewillbeanonymizedduringthemixingphase,theencryptedvotewillneedtobeusedforthispurpose.(Technicallythelinkcanstillbeestablishedwithalltheauthorities'agreement,butthiswouldbeveryinecientandwouldalsocontradicttheassumedsecuritypropertiesofthemixitself). Oursolutiontothisproblemistoaddarandomizedversionoftheencryptedballottothepaperballot.TheVDswillhavepostedtherandomizedvotesandproventhattheyadduptothesametallyastheoriginalones.Followingisadescriptionofhowthisauditmechanismworks.Forauditing,somenumberofpaperballotswillberandomlyselected(seetheworkbyRivest[ 127 ]forasimplemethod3).TheVDwillrstpostthelistoftheoriginalballots,inarandomordertopreventmatchingthelistsballotbyballot.VDwillalsoprovethatthelistisinfactthecorrectlist,i.e.,theyaretheelectroniccounterpartsofthepaperballots.Then,separately,boththeoriginalandthere-encryptedvotes(ontherandomlyselectedpaperballots)willbesummedusingthehomeomorphismpropertyandthetallyandtherandomnesswillberevealedbytheVD.Theresultswillbecomparedwiththecountsofthechosenballots(usingtheplaintextvotes)toseeifthereisanydiscrepancy. 3Foranextensivebibliographyofelectionauditingsee[ 128 ] 68

PAGE 69

Themaindierencebetweenthissystemandusingabasic`id'basedmethodisthis:Inthebasicmethod,togettheinformationofthechosencandidatebyavoterthecoercerwouldneedtosatisfythefollowing: 1. Thecoercerneedstobeabletorecord(orhaveaccessto)theidofthepaperballot(eitherbytheparticularpaperballotbeingselectedfortheauditorbysomeothermeans) 2. Thecoercerneedstobeabletorecord(orhaveaccessto)theidofthevoter'sreceipt. Theseconditemisusuallyassumedtoberelativelyeasytodo,howeverinthiscasetherstitemisnotverydiculteither,atleastifthevoteisselectedforauditing.Tocompare,inourscheme,inadditiontothetwoitemslistedabovethecoerceralsoneedstohaveaccesstotherandomnumbergeneratedbytheDRE.ThisisonlypossibleiftheDREisalsocompromised.Thisaloneshouldbeasaferguardthanthecombinedsafetyoftwoitemslistedabove. 4.5.1.9Auditmechanismdetails AssumethattheVDhassubmittedmencryptedvotesci=gmirni(modn2).Italsowillhavere-encryptedthesevotesasc0i=gmi(riqi)n.AssumeasetA,withsizekisselectedforaudit.Thenforeachc0i,theVDwillrstpublishR=Qi2Arialongwiththelistofcifori2Ainarandomorder.TheVDwillalsopublishQ=Qi2Aqi.Theauditorswillnowhavetocheckthreethings: 1. Thatthepublishedlistofci'sisthecorrectmappingtotheselectedpaperballotsformingthesetA. 2. Thattheqi'sarereallytherandomnumbersusedforthere-encryptionoftheci's. 3. Thatthetalliesoftheencryptedvotes,there-encryptedvotesandtheplaintextvotesonthepaperballotsallagree. Forthersttwoitems,considerthetwodierentwaystheVDmighttrytocheat.Firstofall,itmighthavedonethere-encryptionincorrectly,i.e.,changingthevotethatwasform1tom2bybasicallyjustencryptingm2.Buttodothatandstillpasstheaudit, 69

PAGE 70

evenifalltheothervotesarecorrectlyformed,itwillneedtondarandomnumberqsuchthatmultiplyinggm1r1nbyqnshouldgivegm2r2n.Thatmeansthatqn=gm2)]TJ /F4 7.97 Tf 6.59 0 Td[(m1(r2 r1)n,henceq=(m2)]TJ /F1 11.955 Tf 12.06 0 Td[(m1)logngr2 r1.SotheVDwillneedtondthediscretelogarithmofgbasen(bothpartsoftheauthoritiespublickey),whichisassumedtobeinfeasible. Alternatively,theVDmightsubmitthelistoftheoriginalvotesincorrectly,usingasetwiththesametallyasA.InthatcasehoweverthecheatingVDwillhavethesameproblem.Nowratherthanthec0i's,theci'sarewrong,butthewaytocheatisstillndingtheqthatcanbeusedtohidethefactthatthere-encryptionsarenotconsistent.Hence,thisattackisalsoinfeasible. Tocheckagainstthesepossibilities,theauditorsonlyneedtoconrmthatQciqni=Qc0i(modn2)Afterinsuringthatthersttwopossiblewaystocheatareinfeasible,theauditorsonlyneedtocheckthethirdpart,whichisstraightforwardfortheauditors.Theplaintexttallympisconvertedtotheelectronictallyformat(usingthe1,M,M2,...,Mnscale)andgmpRn(modn2)iscalculatedandcomparedtoQi2Aci(modn2)andQi2Ac0i(modn2).Ifthesethreeareallequal,theauditorscanbeconvincedthatthetalliesareallequalastheyshouldbe. Toanalyzethesecurityofthissystem,notethatapartfromthelistofci'sonlytherandomnumbersusedforre-encryptionaregiven.SofortheoriginalencryptedvotesonlyRisgivenoutthatwasnotalreadypublished.Butasthisistheproductofkrandomnumbers,andwithouttheknowledgeofk)]TJ /F1 11.955 Tf 12.61 0 Td[(1ofthem,itcannotbeusedforanycryptanalysis.Theothermainconcern,whichneedstobeaddressed,isthefactthatthecountofthepartialtallywillbeknownaswellastheencryptedballotsthatareintheauditset.Soanyonethatisabletolinktheencryptedvotetoitsvoter(whichisonlypossiblebyusingthereceiptofthevoterassumingtheVDhasnoleaks,andthereforealsoimpliespotentialdeniabilityifthelinkisuncovered),mightgetsomeinformationfromthepartialtally.Butthisshouldnotbeaconcernaslongasasucientlylargesampleisusedforauditing. 70

PAGE 71

4.5.1.10Securityimprovement Althoughtheprotocolpreventscoercionbylettingthevoterselectarowandcolumn,inpracticetheissueissomewhatmorecomplicated.Theproblem,mentionedpreviously[ 126 ]withoutasatisfyingsolution,isthatitwouldbedicultforthevotertomakesuretheVDdoesnotchangeanyentryinthematrix-astherearendentries,therebypreventingbeingcaughtcheating.Toresolvethisdefect,theimplementationcanbechangedsuchthatratherthanselectingthechosenrow,thevoterselects(orratherdeselects)anotheroneoftheremainingrowsrepeatedlyuntilthechosenrowisleft.Thiswayheonlyneedstoobserveneldsratherthannd,whichwouldmakeitverydicultfortheVDtocheat. 4.5.1.11Usingvotingdevicesandpaperballotprintersfromtwodierentsuppliers AsafurthermeasureofpreventingtheDREofcheating,anotherdeploymentimprovementwouldbetohavetheelectronicballotpartofthevotingmachineandthepaperballotpartbesuppliedbyseparatevendorsorsources,afterdesigningastandardcommunicationprotocolbetweenthosetwoparts.Thiswillmakeitmuchmorediculttolaunchasuccessfulattackonthevotingsystem. 4.5.2Comparison Hereisalistofthemostimportantdierencesbetweenourprotocolandtwoothervotingsystems.TherstoneisPr^etaVoter,brieydescribedinSection 4.4.4 ,withamoredetailedexplanationinSection 5.2.2 ThesecondoneisthegenericsystembasedontheMercurimethod,assumedtohaveonlythebasicpropertiesasitisnotbasedonaspecicprotocol,becauseofthelackofdetailsofcommercialsystems. 4.5.2.1ComparisonwithPr^etaVoter ThemaindierencesbetweenPr^etaVoterandourprotocolare: Ourprotocolleavesapaperaudit-trail,thankstotheMercurimethod.Soinourschemevotescanberecounted. 71

PAGE 72

Thepaperaudit-trailalsoenhancessecuritybyactingasasecondaryandmoretrustworthyalternativetally,whichinturnpromotestrustinthesystem. Thecandidatelistwillbetakenfromthevoter,soitcannotbekeptandpotentiallyusedforvotebuying,etc.ThedesignissuchthateveniftheDREreadsthelist(sinceitwillhavethehardwarenecessaryforit-tobeusedforreadingthebarcode),thecryptographiccommitments(i.e.,almosteverythingthatwillbesubmittedtotheserver)willalreadybeprinted,aswillbethepapervoteitself,practicallymakinganymalicioususeimpossible. 4.5.2.2ComparisonwiththeMercurimethod Thesecurityoftheproposedsystemismoreadvancedinallaspects,asitincludesallsecuritymeasuresandaddssomemoretotheset.Thesemostlyincludegreatlyimprovedprivacy,votervericationoftheelectronicvote,andenhancedcorrectness.Wealsohavepaperballotsandelectronicballotslinked,whichincreasestheelectronicvote'sreliabilityaswellashelppinpointthecauseofanydiscrepancy-ifitexists-duringtheauditphase. 4.6SecurityAnalysisMethodologies Mostvotingsystemprotocolproposalareaccompaniedbysecurityanalyses.However,theamountofdetailandthoroughnessusuallyvarieswildly.Furthermore,thereisnoagreedonsystematicwayofdoingtheseanalyses,sothemethodologiesarealsousuallydierent.Inthissectionwegiveabriefliteraturereviewonthemethodologiesandtechniquesusedforanalyzingthesecurityofvotingprotocols. Kelsey[ 129 ]discussesthesecurityissuesofvotingsystems.Theauthorslistthreemainissues:corruptmachines,compromisablemachines,corruptiblecommunications.Theyalsolistpossiblegoalsfortheattackers:electionfraud,disruption,discrediting,privacyviolation(furtherseparatedasvoluntaryorinvoluntary).Furthermore,theyclassifythedicultyofattacksintermsofresourcesused(money,skills,risktolerance,andinsideraccess)andconspiracyrequired(sizeanddiversity). Jones[ 130 ]concentratesonbuildingataxonomyforvotingsystemthreats,andsuggestbuildingacatalogofthreats.Theirclassicationstartsbyaddressingthephaseof 72

PAGE 73

theelectionthatisbeingmanipulated,andtheygivethefollowinglist,whichislateronexpanded. 1. Registration 2. Pollingplaceaccess 3. Votermanipulation 4. Ballotmanipulation 5. Threatstotheballottabulationprocessitself 6. Threatstotheresultsofthetabulationprocess Theauthorsthencontinuetosecondaryindices,therstbeingwhattechnologyisvulnerable,anotheronebeingthescaleoftheattacksandyetanotheriswhocarriesouttheattack.Inthislasttypeofclassication,theauthorsgivethefollowinglist: 1. IndividualVoters 2. OutsideAttackers 3. Pollingplaceworkersorothersta 4. Permanentemployeesattheelectionoce 5. ElectionOcials 6. EquipmentVendors 7. PolicyMakers Theauthorsalsomakeseveralotherimportantobservations,wheretheysuggestevaluatingthelikelihoodofattacksandthecost-eectivenessofdefensesagainstthem.Theyalsopointtothefactthatevaluatingthevotingsystemstandards,votinglaws,andadministrativerulesgoverningtheelectioncannotbeseparatedfromathreatanalysis. Severalresearchersstudiedtheauditingaspectofelections.Aslametal.[ 131 ]giveasimplestatisticalframeworkforauditingtechniquesandcalculatingthesizeofanaudittosatisfyagivencondenceinterval,whereasNe[ 80 ]comparestheeciencyofdierentauditingmechanisms. Anotherissuewithmanypublicationsisthelawandstandardsaspectofvoting,wheretheprosandconsofpapervotingvs.electronicvotingarealsodiscussed.InthisrespectJones'testimonybeforetheU.S.HouseofRepresentatives[ 132 ]wasadetailed 73

PAGE 74

overviewoftheproblemswithvotingsystemstandards.McgaleyandMccarthy[ 133 ]discussestheprosandconsofelectronicvotingcomparedtotraditionalpaperbasedvoting,withafocusonvotinginIreland. Finally,severalpapersanalyzethesecuritypropertiesofsomespecicvotingprotocol,usuallywithdierentmethodsanddierentfocuscharacteristics.Kohnoetal.[ 134 ]presentsasecurityanalysisofthevotingsystemusedbyDiebold,concludingthatthesystemisunsuitableforuseingeneralelectionsandsuggestingvotingsystemhave`voter-veriableaudittrails'.Kelleretal.[ 135 ]analysestheprivacypropertiesoftheOpenVotingConsortium'sopensourcevotingsystem.Dasetal.[ 136 ]givesasecurityanalysisoftheeVACSopensourcevotingsystemusedinanelectronicvotingtrialinAustralia.Varner[ 137 ]developsatechniqueforconductingsecurityanalysisofInternetvotingsystemsandpresentsathoroughanalysisofthevotingsystem`VoteHere,'whichisarguablythemostthoroughvotingsystemanalysiseverpublished.Also,somepublicationsanalyzeaspecicpropertyindetail,usuallyappliedtotwoormoresystems.AdidaandNe[ 138 ]dene`ballotcastingassurance'asacomplementofuniversalveriability.Theythenanalyzetwoprotocolstoseeifthisrequirementissatised.Adidaalsodevelopedtheoreticalresultsfortheconceptof`uncoercibility'ofvoters,andthenprovedthatitissatisedinanewprotocolthatissuggested[ 139 ].Cetinkayaetal.[ 140 ]discusstheconceptsofvericationandvalidationinthecontextofe-voting.Shermanetal.examinedthevotevericationsystemsofseveralvotingsystemsfortheMarylandStateBoardofElections[ 141 ].Theirresultsmostlyndthatprivacyislackinginthosesystems.Eventoughtherearesomeredeemingfactorsformostsystems,ingeneraltheyalsoarenotassecureashoped-forinmanyotheraspects-somelessthanothers.Thisleadstotheconclusionthatnotonlythebasiccryptographicprospectsarenotinparwithwhatexpertsexpectandresearchers(inabroadsenseoftheword)makeavailable,butalsothatcertainsystem-widedeploymentandissueslikeaccessibility,reliability,datamanagement,electionadministration,andimplementationareglaringlyunsophisticated. 74

PAGE 75

Anotherresearchareanotstrictlypartofelectronicvotingbutcloselyrelatedtoourcurrentdiscussionisthestudyoftechniquesofsecurityanalysis.Thesepublicationsformabridgebetweencryptographicvotingsystemsandsecurityanalysismethodologyincryptography. Inabusecasemodeling[ 142 ],thethreatsareenumeratedonanad-hocbasis.Thismethodisusuallyusedduringthedesignphase.Attacktreemodeling[ 143 ]isamoresystematicmethod.Theso-called`FairlySimpleSecurityAnalysisandModelingMethodology(FaSSAMM)'isintroducedin[ 137 ]toassessthesecurityrisktothecompleteness,soundness,privacy,unreusability,eligibility,fairness,reliability,andveriabilityofvoting. Someattacksthataredetailedinthatworkareasfollows. 1. DistributedDenialofServiceAttack:Theattackersendstoomanyfakeconnectionrequeststhattheservercannotprocessthelegitimateones. 2. MaliciousCodeAttackonClient:UsingaTrojan,virus,orworminvadingtheuser'scomputerandmanipulatingthevotingprocess. 3. DomainNameSystemAttack:CorruptingtheDNS(domainnameserver),whichwouldresultinvotershavingtroubleconnectingtotheelectionsite. 4. AttackByCorruptVotingAdministrator:Varioustypesofattacksresultingfromanadministrator'smaliciousacts. Usingtheabusecasemodel,possiblethreatsareenumeratedanddetailed;thesynopsisofanattackincludethefollowingparts:ID,title,description,harm,attackers,visibility,violations,likelihood,preconditions,triggers,attackowofevents,alternativepaths,postconditions,comments,defensemechanisms,andadditionalinformation. GreenandAdler[ 144 ]liststheprincipalvulnerabilitiesofsecretballotvotingas:compromiseofelectionintegrity,compromiseofsecrecy,anddenialofserviceattacks.Threecategoriesofcountermeasuresarelistedas:protection,detection,anddeterrence. Threelevelofcountermeasuresareidentiedagainstvulnerabilities. 75

PAGE 76

1. ProtocolLevel:Focusesontheelectiondata.Thisisthelevelcentraltotheirthreatlevelanalysis. 2. ImplementationLevel:Focusesonthesoftwareandhardwareoftheelectiondevices,etc. 3. ProceduralLevel:Focusesondefensiveproceduresandprocessesthatwouldmaketheelectionmoresecure. Afterthisclassication,thepaperdescribestheattacktreesandthelistsofthedefensivecountermeasuresoftheprotocolagainsttheseattacksindetail. 4.7AnalysisofOurVotingSystem Inthissectionwepresentasecurityanalysisofourproposedprotocol,andalsoexplainthemethodologythatweuse.Werstspecifytherequirementsandassumptionsthatneedtobemade.Afterwards,wedetailhoweachoftherequirementsareprotectedunderthegivenassumption.Thisisdoneinasystematicway,arrangedbypresumedattackers.Asexamplesweanalyzeourproposedprotocolandasacomparison\Pr^etaVoter."Commentswillalsobeaddedforthe\Mercurimethod"systems. 4.7.1Requirements Tomakeanextensivesecurityanalysisofavotingprotocol,werstneedtofocusonwhatweexpectfromthesystem:therequirements.Anypotentialattackwilltargetoneormoreoftheserequirements,whichiswhyouranalysiswillstartlookingforpossiblescenarioswherethesecanbefullyorpartiallycompromised.Hence,werstneedtoagreeontheserequirements.Afterwardswewilllistthespecicrequirementsthatwillbeevaluatedinthispartofthedissertation,andassigncodestothemtomaketheactualevaluationeasier. 4.7.1.1Primaryrequirements Thesearetheusualkeyrequirements,whichareassumedtobecritical,andevenasmallpossibilityofasecurityriskisworthexamining. Correctness(Usedasacatch-allproperty,includingsoundness,accuracy,etc.) Uniqueness 76

PAGE 77

Privacy Fairness Receipt-Freeness(alsoincludescoercionresistance) Veriability(Universaland/orVoter) 4.7.1.2Secondaryrequirements Thesearetherequirementswhicharesecondaryintermsofpriority,ormeasureswhichcantakemanydierentvalues-inotherwordspropertiesthatdonotjusttakethevaluesof'satisfying'or'notsatisfying'.Thevotingprotocolisusuallylesssensitivetoattacksontheseproperties,althoughanysuccessfulattackwillatleastbeanuisanceandatworstbeasimportantasanattackononeoftheprimaryrequirements. Practicality Robustness 4.7.1.3Listofrequirements Herewegivecodesforeachrequirementtobeusedasshorthandintheanalysispart.Notethatweomituniqueness,asthatisassumedtobehandledbeforethevoterentersthevotingbooth.Thiswillbeincludedintherequirementslistlater.Furthermore,practicalityisalsonotlisted,asitisnotreallyasecurityissuebutratherausabilityissue. Oneimportantpointthatshouldberememberedisabouttheprivacyrequirement.Weareinfactassumingthatthevoterwillbeanonymouswhenenteringthevotingbooth(seeSection 4.7.2.5 ),however,thisisnotassumedtobeguaranteed,soweanalyzethesecurityofthesecondlayerofprivacytheprotocolitselfprovides. R1 Privacy R2 Correctness R3 Veriability(whereR3iisusedforindividualandR3uforuniversalveriabilityifthedistinctionisimportant) R4 Robustness 77

PAGE 78

R5 Fairness R6 Coercion-resistance 4.7.2AssumptionsandTrust Analyzingthesecurityofacryptographicprotocolrequiressomeassumptionsaboutthedeployedsystemtobeofpracticaluse.Thereasonforthisisthatinalmostallaspects,somesecurityrisksthatareapparentintheprotocolcaneasilybexedintheimplementation,oraprotocolthatseemssecurecanbemadeinsecureduringdeployment.Thereforemakingsomebasicassumptionsabouttheproceduresandsystemdeploymentonecangreatlysimplifythesecurityanalysis.Satisfyingsomeoftheseassumptionsarenottrivial,howeverinthatcasetheburdenofcomplyingisdelegatedtothesystemdesigners,proceduremodeler,andsoftwaredevelopers. 4.7.2.1TheDREandthevotingbooth TheDREisassumednottohavetheidentityinformationofthevoter,otherthanbeingabletorecognizeiftheuserisanactualregisteredvoterwhodidnotalreadyvote.However,theDREmightbecompromised,apossibilitythatisinthecenterofmostvotingprotocoldesigns. Thevotingboothsontheotherhandareassumedtobephysicallysecured.Theimplicationofthisisthatnooutsideentity(otherthantheDREandvoter)cangetanyinformationfromthetransactioninsidethevotingbooth.Furthermore,thevotercannotgetanyphysicalevidencefromthetransaction(forexampleapictureorvideo)fromthevotingbooth-otherthanthereceipt/ballotthatispartofthesystem.Thisisoneoftheassumptionsthatisnon-trivialtosatisfy,butisnecessaryforanymeaningfuldiscussionofuncoercibility(andotherproperties);solvingthisproblemisalmostimpossiblebytheprotocoldesignitself. Anotherassumptionthatneedstobemadeinmostelectionprotocolsisthein-feasibilityoflinkingvoterswiththespecicDREtheyuseforvoting.Thispreventsanylinksfromanidentitytoaspecicvote,incasetheDREiscompromised,preventing 78

PAGE 79

anycoercionaspects.Ofcourseitalsonecessitatesvotereducation,meaningthatthevoterneedstoknowthatevenintheunlikelyeventthattheDREiscompromised,thelinkcannotbeestablishedforcertain.(Probabilisticlinkscannotpossiblybeeliminated.)TherststeptoestablishthissecuritymeasureshouldbetohavemultipleDRE'sinadierentroom,makingsurethatitcannotbeestablishedwhichDREthevoterisusing. 4.7.2.2ElectionauthoritiesandDREsuppliers Specialassumptionsabouttheelectionauthoritiesareusuallyindicatedaspartofavotingprotocol.Havingnomorethann)]TJ /F1 11.955 Tf 12.46 0 Td[(kmaliciousoutofnauthoritiesisacommonrequirement,whichwealsoemploy.Thecommonsenseapproachwouldbetohaveauthoritiesselectedbyormadeupoffederalandlocalauthorities(fromvariousbranchesofthelocalandfederalgovernment)aswellasanumberofcivilrightsgroups.Thiswouldreducethelikelihoodofcollusionbetweentheauthorities. Anotherassumptionwithrespecttotheauthoritiesisthattheirtransactionsareconsideredcompletelysecure-whichagainneedstobesatisedbythesystemengineers.Theprocessingofkeysandmessagesneedtobedoneinasecureenvironment,preventinganyleaksaboutthekeyshare.Asthisisthepracticeinmanygovernmentandmilitaryestablishments,itspracticalapplicationshouldbefairlystraightforward.Thecommunicationbetweenauthoritieswillbecarriedoutbyusingthepubliclyreadablebulletinboard,forwhichthenecessarysecuritymeasureswillbeconsideredinthenextsubsection. 4.7.2.3Bulletinboard Theassumptionsaboutthebulletingboardarefairlystraightforwardandcommon.Weassumeasecurecommunicationchannel,whichactuallyonlyneedstobeone-directional.ThesecuritycanbebasedontheIP(InternetProtocol)level-likeIPSEC[ 145 ](Internetprotocolsecurity,)oratthetransportlayer-likeTLS[ 146 ](transportlayersecurity).Wealsoassumetheboardtoberead-only.Thismakesiteasytodeploydistributedbackups,whichcaninturnbeusedtoensuretheread-onlyproperty.The 79

PAGE 80

bulletinboardshouldalsogivewrite-accessonlytoregisteredvotingbooths,whichshouldbedoneusingauthenticationsupplementingpublicencryption. 4.7.2.4Voters Theassumptionsinsidethevotingboothnotwithstanding,thevotersareallpotentiallyincollusionwiththeDRE,theCoercerorAuthorities.Thisisinlinewiththeusualstandardofthevotersonlyauthoritybeingtherightforonevote.However,commonsensedictatesthatthenumberofmaliciousvoterswillbeverysmallcomparedtothehonestvoters,therebymakinganystatisticalattackinfeasible. 4.7.2.5Summarylistofassumptions A1 Thevoterisauthenticatedandauthorizedbeforeenteringthevotingbooth.Itisensuredthatnovotercanvotemorethanonce. A2 Neitherthevoternorthecoercerhaveawayofbringingoutanyproofoftheprocessinthevotingboothoutside,otherthanthereceiptthevoterwillbegiven. A3 TheDREhasnowayofsendingunauthorizedinformationtoanyotherparty.Thisassumptionisnecessaryasthereisnowaytopreventcoercioncryptographicallyotherwise.(NotethatsomeprotocolslikePr^etaVotergoaroundthisproblembynothavingtheDREknowwhichcandidateisvotedfor.Theusualapproach,however,istodelegatethisproblemtotheimplementationphasebysecuringanyincomingandoutgoingcommunicationsandlimitingthepotentialwaystostoreunauthorizedinformationaboutthevotingprocess.Additionally,increasinganonymityforthevotersenteringtheboothalsoreducesthepotentialimpactofthisweakness.) A4 Thepublickeyencryptionsystemusedissecure,andhasnoinformationalleakage. A5 Atmostn)]TJ /F1 11.955 Tf 11.95 0 Td[(koutofnauthoritiesareassumedtobemalicious. A6 Voterswillbeanonymouswhenenteringthevotingbooth,andthepossibilityofrecoveringtheidentityofavoterwillbeminimal. 80

PAGE 81

4.7.3AttackerBasedAnalysis Anyvotingsystemneedstohaveathoroughsecurityanalysiscarriedoutbeforeitcanbeusedinpractice.Inthisandthenextsectionpotentialattacksandvulnerabilitiesandourprotocol'sdefendsagainstthesewillbeanalyzed.Theanalysisiscategorizedbyattackers.Thissectionwillbelimitedtopossibleattackscarriedoutbyindividualattackers.Inthenextsection,collusionattacks,whichareusuallythemostdangerousattacksandthereforechallengingtodefendagainst,willbeanalyzed. Therearenoassumptionsmadeabouttheattackers.Theytrytoactivelyuseanyvulnerabilityofthesystemtoattackthesystemanywaypossible,fromcoerciontolearninghowaparticularvotervoted,topreventingthesystemtofunction.Therearenoassumedlimitsontheirwillingnesstotakingriskornancialpower,butthemorethesearerequired,theweakertheattackpossibilityisassumed. Ouranalysiswillbemadebasedontheattacker,andeachtheusualkeysecurityrequirementsofavotingsystemwillbeanalyzedifrelevant.Privacy,correctness,veriability,robustness,fairnessandreceipt-freenesswillbethemajorrequirements,aslistedbefore. 4.7.3.1Attacksbythevoter Asthevoterhasverylimitedpower(otherthanbeingabletovote),hiscollusionwithotherpartiesisusuallynotaseriousissue.TherequirementsR1andR3iarerequirementstoprotectthevoter,sotheseneednoprotectionagainstthevoter.R2isnotanissue,becausetheDREmakesanynecessarychecks-andinfactthevoterwillusuallyonlyneedtopushbuttons,preventinganypossiblefoulplay.R4canbeattackedbyavoter,butonlyinthesenseofdamagingthesystem,anattackwewillignore.R5isalsonotrelevant,asthevoterdoesnothaveanyadditionalinformation(abouttheothervotesorthestatusoftheelection)thattheDREdoesnothave,soevenacollusionwouldnotbeuseful. Togetareceiptandbeabletoprovehisvote,avotercantakepicturesofthepaper-ballot.ButthisisassumednottobepossiblewithassumptionA2.Usingthe 81

PAGE 82

receipt,aproofcannotbecreatedeither,astheonlyworkingpartofitwouldbec(x,y)fortheselectedcolumnandrow.Howeverthisstringwillbeencrypted,andshouldnotleakanyinformation(A4).Anothertypeofattack,knownasforcedabstentionorrandomizationattacks,arealsonotpossibleasmentionedbefore.Thereasonisthatthevotercanaskforasmanyrandommatrixgenerationsaspossible,andcandothisuntilthepreferredcandidateisontheexpectedspot. OneotherriskworthmentioningwouldbethecollusionwiththeDREtogetareceiptthatcanbeusedasaproof.However,iftheDREismalicious,privacyisalreadyatrisk(theDREnecessarilyknowswhothevotervotedfor),sothehelpofthevoterisnotsignicantinreducingthepoweroftheattack.TheassumptionA3islistedsoastounderscorethisweakness. 4.7.3.2AttacksbytheDRE Asmentionedbefore,theDREwillknowwhothevotervotedfor,sotheA3assumptionisneededforprivacy. Forthecorrectnessrequirement,considerthecasewheretheDREistryingtosubmitawrongvote.Thisispreventedbythevoterobservingifthereceiptsarewell-formed,i.e.,iftheopenedcommitmentsshowthesamecandidatenamesastheydidinitially.Fortherobustnessrequirement,theDREcantrytopreventvotingorsubmittingacorruptvote:ThisistheDoSattackmentionedbefore.Likeallvotingprotocols,therearemanywaysaDoSattackcanbelaunched,especiallyusingtheDRE.Thekeyistominimizetheriskandhavewelldesignedprocedurestodealwiththesepotentialproblems.ThemainissuewillbethevotessubmittedusingtheproblemDRE,astheirreliabilityhavediminished. 4.7.3.3Attacksbytheauthority R1andR6arenotvulnerabletotheauthority,astheencryptedvotesaretheonlyimportantdatatheyreceiveandthesearecompletelyanonymous.R5isprotectedbythefactthatthethresholdsystemrequireskoutofnauthoritiestodecryptandciphertext(A5).Theauthority'smainpurposeistodecrypttheencryptedvotesusingthe 82

PAGE 83

mix.Howeverthemixisdesignedtopreventanyoneauthorityfromeasilycheatingbychangingorcorruptingsomevotes(R2,R3,R4).Thisisdonebyhavingtheauthorityprovethecorrectnessofthemixes.Asweonlyneedkoutofnauthoritiestocorrectlymix,thepotentialriskcomingfromtheauthoritiesisverylowandassumednon-existentbyA5. 4.7.3.4Attacksbythecoercer R2,R4andR5arenotinthescopeofthecoercersattack.Foralltheotherthreerequirements,considerthatthecoercer,beingatheoreticalparticipants,hasnopowerduringtheelection,andassuchitsattacksareonlyinterestingwhenthereisacollusionwithanotherparticipantintheelectionprocess.Whenweconsiderthecollusionofthevoterandthecoercer,theproblemreducestohavingthereceipt-freeproperty,whichourprotocolhas.Infact,thisscenarioisbasicallywhatthispropertyisdesignedtoprotectagainst.Ifthevotercannotprovehowhevoted,thisattackcannotbecarriedforward.Toseewhythereceipt-freepropertyholds,considerwhatinformationthecoercermightgetassumingnocollusionwiththeDREorauthorities.Hecangetthereceiptfromthevoter,andalsothecontentoftheBBrelatedtothevoterssessions.Thesewillincludealltheopenedcommitments,whichwillnotleakanyinformation.Theonlyotherinformationhewillgetaretheencryptedvotec(x,y)andtheindex(x,y)oftheselectedvotefromthematrix.Sincetheindexisrandom,ineectheonlyhastheencryptedvote,whichisassumedtobesecureandcannotbeusedtogatheranyinformationaboutthevoteitself.Anotherpotentialattack-theforcedabstentionattack-wasmentionedbefore.However,havingtheoptionofregeneratingthematrixgivesanyvotertheoptionofselectingtherequiredindexfromthematrixwhileatthesametimevotingforthepreferredcandidate. 4.7.4Collusions Thissectionisthemoreinterestingone,asmostinterestinganddiculttodefendattacksareaproductofvariouscollusions.However,sincemostsuchattackswillhaveaprincipalattacker,sothatthesecondpartyhasonlyalimitedcontributiontotheattack,ouranalysiswillbemadesimplerbyuseofourconclusionsfromtheprevioussection. 83

PAGE 84

4.7.4.1Voterandcoercer Thecoercerandvoterbeingincollusionbringsthequestionofapossiblevotebuying.Todothis,thevoterneedstoprovehisvote.Assumingnowrite-inballots(attackswhenwrite-inballotsareusedaredealtinthenextchapter)thereisnowaytousethepaperballotasaproof,asthevoterhasnoaccesstoit.Theelectronicvotepartontheotherhandismoresusceptibletosuchanattack.However,withpossibilityofrestartingtheprocess(asexplainedbefore),thevoterhasnowaytoactuallyprovewhohevotedfor. 4.7.4.2DREandauthorities Asanyauthoritytakingpartintheelectiondoessobyusingasharedencryptionprotocol,theirpossibilityofmaliciousnessislimited.Gettinganyinformationontherandomnessusedforasetofvoteswillnotleadtoanyweaknesses,asthevotesaresummed,andtheresultingtallyhasrandomnessfromotherDRE'swhichineectmakestheknownrandomnessuseless.(Asananalogythinkofthreerandomnumbersr1,r2andr3.Knowingr1givesnoinformationaboutthesumr1r2r3oraboutanyofr2orr3. 4.7.4.3DREandcoercer Aswementionedbefore,theproblemwhentheDREismaliciousisaproblembyitself,buttheseriousnessofthisproblemonlymanifestsitselfwhenthereisacollusionwiththecoercer.Aswithmostvotingprotocols(wheretheDREknowswhothevotervotedfor),thereisnotmuchthatcanbedonetodenitelydefendagainstvote-buying.TheonlyremainingpossibledefenseistopreventtheDREfromsuccessfullyinformingthecoercerofthevoter'schoices.This,however,canonlybepreventedbyusingsophisticatedsoftwareengineeringpractices.Onedefenseistolimitanysubmittedinformation,includinganyinformationsecretlyhiddeninsidevaliddata.ThishowevercantosomeextentbelimitedbyhavingtheDREpublishitsrandomnumbergeneratoraftertheprotocolisnished.Ofcourse,thisapproachcanopenit'sowncanofworms(meaningthatallrandomnumbersgeneratedwillneedtobeaccountedfor,whichwillrelayinformationaboutalltheexchangesmadebetweentheDREandthevoter. 84

PAGE 85

4.7.4.4Authoritiesandcoercer Thecoercerisinterestedinanyinformationaboutwhoacertain(orany)votervotedfor.However,asmentionedbefore,theauthorityonlyactsaspartofagroup,andhasinpracticenoaccesstoanysecretinformationthatcanbeusedforthispurpose.Hereweassumethatkoutofnauthoritiesarenotmalicious,andassuchthesecurityofthesecretsharingschemeprovidesuswiththeknowledgethatthefewsharesofthesecretthemaliciousauthoritieshavedonotleakanyinformationaboutthemasterkey. 4.7.4.5DRE,authoritiesandcoercer HavingtheDRE,theauthorityandthecoercercolludeallatonceistheultimatetestforavotingprotocol.However,inourcasetheargumentagainsttheAuthority,havinglimitedpowerthatisofnogreatpracticalusestillapplies,practicallyreducingtheproblemtothecollusionofDREandCoercercase. 4.7.5Recovery OnelastimportantpointrelatedtosecurityisthepossibilitythatamaliciousDREorevenauthoritytriescheatingbutiscaughtbyoursafeguards,eitherbyafailingdemonstrationofcommitmentsorbyanincorrectproofofcorrectness.Inthesecasesthereneedtobeprinciplesandrulesineectthatwillhandlethesesituationswithmaximumsecurityandminimumdisruptionofthevotingprocess. Firstofallthemaliciousormalfunctioningunitsshouldbebannedfromtheelection.Inthecaseofanauthority,theprotocolcancontinuetofunctionproperlyandwithnopotentialhazard.InthecaseofaDRE,theproblemismorecomplicated.ThepossibilityoftheDREhavingmanagedtocheatbeforegettingcaughtisarealproblem,andmustbedealtwith.Themoststraightforwardandtrustworthymethodwouldbetousethepaperballots,insteadofusingtheelectronicvotes.Sotheelectronicvotesshouldbeinvalidated,andthepaperballotsshouldbemanuallycountedandaddedtotheendtally.Ofcourse,tobeabletodothissmoothly,thesystemengineersshouldconsiderthispossibilityand 85

PAGE 86

implementmanualoverridestoaccomplishthisfunctionalitywithoutcausingmajorproblems,shouldtheneedarise. Thelaststepinthecaseofamalicious/malfunctioningDREwouldbetoanalyzeittondoutthereasonoftheproblem.Theinformationgatheredshouldnotonlybeusedtondoutifanymaliciouspartyisinvolved,butalsotochecktheDREsinworkingconditiontomakesuretheydonotexhibitsimilarsignsandarepotentiallycompromised. 4.8Conclusion Paper-basedvotingsystemshavebeenusedforcenturiesnow,andwaystopreventcheatinghavebeenfoundandimplementedovertheyears.However,eventodaythesesystemsarestillnotperfect,andsuchwebelievethatperfectionfromelectronicsystemsshouldnotbeexpectedeither.Althoughpuree-votingsystemsmightstillbeinneedofmorestudiesbeforetheycanbeclassiedassecureaspapersystemsbymostpeople,webelievethatahybridsystemliketheonepresentedheremightbeasteppingstoneuntilthatdayarrives. Inthischapterwepresentedavotingprotocolframeworkthatcombinesthreepopularconceptsinthearea.Thersttwoarethehomomorphicencryptionschemesandsupportingvoterveriablereceiptswithoutgivingupthereceipt-freenessproperty,whichisofkeyimportance.Thethirdconceptthatwasaddedistheuseofactualpaper-basedballotsaspartofanelectronicvotingsystem.Althoughwearenotawareofalltheseconceptsbeingusedinasinglevotingprotocol,ourmaincontributioninthatdirectionisthedemonstrationthatthesynergyofthesetoolsadduptomorethanthepartsthemselves. Perhapsthemostimportantcontributionwepresentedinthischapterisourpartiallinksofe-ballotsandpaper-ballots,makingthewholegreaterthanthesumofitsparts,whenitcomestousingtheMercurimethod.Thiscanbeusefulwhencountingallthepaperballotsaredeemedtobetoomuchwork,especiallysincetheelectroniccountwillbereadysoonaftertheelectionended.Butenhancingtheuseofthepaperballotsby 86

PAGE 87

makingthemdirectlyauditablerecordsandnotjustafall-backforpossiblerecountsisawelcomeadditionalbenet.Thiscanbeusedbypollwatchersandauditorstoensuretheconsistencyofelectronicandpapervotes,therebyincreasingthelevelofsecuritywhentheelectronicvotesareusedastheprimarycount. Thesecurityanalysisanditsmethodologycanbeconsideredafurthercontributiontotheeld.Althoughsomedetailedsecurityanalysiswerecarriedoutforsomevotingprotocolsbefore(mainlycommercialprotocols),ouruseofmultipleclassication(attackers,coercion,players,trust)givesadierentperspectivetovotingprotocolanalysisspecicallyandcryptographicprotocolanalysisingeneral.Webelievethatouranalysismethodologywillalsobeusefulevenforothervotingprotocolsinthefuture.Theusesoftheanalysisisnotlimitedtoprotocoldesignersbutalsotosystemdesignersandsoftwareengineersworkingonaprotocolimplementation. 87

PAGE 88

CHAPTER5WRITE-INBALLOTS 5.1IntroductiontoWrite-inBallotSupport Severalelectionconstituencies(mostlyintheUnitedStates)givetheelectoratetheoptiontovoteforwrite-incandidates.Supportingthisnotioninelectronicvotingprotocolsisoneofthegoalsofcurrentresearch.Previouslypopularblindsignaturebasedschemeswereabletosupportwrite-incandidatesrathereasily[ 77 ],howeverwithmix-netandespeciallyhomomorphicencryptionbasedsystem,thisbecamemoreofachallenge.Becausesupportingwrite-incandidatesisgenerallynotconsideredtobeakeypropertyandthedicultiesassociatedwithsupportingbothwrite-incandidatesandcoercionresistancesimultaneously,manycurrentprotocolsdonotsupportthisproperty. Supportingwrite-inballotsinhomomorphicencryptionbasedschemesisconsideredtobeanespeciallydicultchallenge,mainlysinceintheseprotocolsthevotesarenotdecryptedbeforetallying,theyareaddedupinencryptedformandthendecrypted,whichwouldnotworkwithwrite-invotes.Ontheotherhandhomomorphicencryptionbasedprotocolscarryseveralusefulpropertieshardtoachieveinothermethods,likeeciencyandimprovedprivacyresultingfromthefactthatindividualvotesarenotdecryptedseparately.Supportingwrite-inballotsinhomomorphicencryptionbasedsystemswasrstachievedbyKiayiasandYung[ 52 ]withthevector-ballotapproach.Unfortunatelytheirmethodonlysupportsuniversalveriabilityandnotvoterverication.Severalotherprotocolsalsosupportwrite-inballots,yettheyeithercannotsatisfyoneofthetwokeyassumptions(uncoercibilityandveriability)ortheyarefarfrompractical. Theprotocolweproposesupportsbothwrite-inballotsandvoterverication-whichhasbeenconsideredakeyrequirementinthelastfewyears[ 72 121 ],althoughitisprimarilybasedonhomomorphicencryption.Itisbasedonthesameframeworkasthevector-ballotapproachdevelopedbyKiayiasandYung[ 52 ],butitincorporatesanovelmethodforwrite-inballots.Theunderlyingmachineryofthewrite-insupportusesthe 88

PAGE 89

sameconceptofChaum'sPret-a-Voterprotocol[ 71 ],butthemethodtousethismachineryforwrite-inballotsisrstdevelopedhere. 5.2PreviousWork Acquisti'sprotocol[ 78 ]isthersthomomorphicencryptionbasedprotocolthatsupportswrite-inballots,howeverthatprotocolisagenericprotocol,ratherthanonedesignedwithspecicrequirementsinmind.Whileitmightbeagoodchoiceforonlinevoting,itisnotsucientlysuitableforprotocolsbasedonDREmachines.Ofvotingsystemsspecicallydesignedtobeusedinrealelections,KiayiasandYung'sprotocol[ 52 ]isthersthomomorphicencryptionbasedprotocolsupportingwriteinballots.Howeveritdoesnotsupportvoterverication.Oursystemisbasedonthisprotocol,butsupportsvoterverication.Althoughnotnecessarilyproposingnewprotocols,[ 147 { 149 ]containanalysisofwrite-inballotsupportingprotocols. Acquisti'sProtocol[ 78 ]satisesmostpropertiesthatoursystemdoes.Butitseemsliketheprotocolassumesthatvotershaveaccesstoasecurecomputationdeviceforencryptionanddecryptionpurposes.Assumingsuchdevicesarenotallowedtothevotingbooth,itisunclearifthevotercanverifythecomputationsdonebytheDREusedforthispurpose. Somenon-homomorphicencryptionbasedsystemssupportwrite-inballotsaswell.Oftherelativelymorerecentones,Threeballot[ 122 ]supportswrite-inballots,thankstoitsnon-cryptographicdesign,butthissamereasonalsocausestheprotocoltolackinpracticality.Klonowskietal.[ 150 ]reformulateChaum'svisualvotingschemeandstatehowwrite-invotesaresupported.Hospsuggestsawaytoaddwrite-invotestoPunchscan[ 125 ]. Amajorproblemwithsupportingwrite-inballotsisthedicultyofpreventinginformationleakage.JuelsandJakobsson[ 114 ]arguethatsupportingwrite-invotespreventscoercionresistancebecauseofthisproblem.Thereprobablyisnogoodwayofcompletelypreventingthisattack,howeverwebelievethatthesameproblemsexistin 89

PAGE 90

paper-basedelections,whichdidnotcauseanycriticaldebatesinthepast,sowebelievethatbyacarefuldeploymentprocedurethisweaknesscanbegreatlymitigated.InSection 5.6.1 ,wegivesomepreventativemeasuresagainstthistypeofattack. ThevotingsystemdesignedbyAndrewNeforthecompanyVotehere[ 72 ]alsosatisesthevoter-veriabilityandcoercion-resistanceproperties,butdoesnotsupportwrite-inballots.Itistheonlycommercialsystemsupportingcryptographicvotervericationwithdetails(sourcecodeandextensivedocumentation)madepublic.Itisbasedonmix-netsandthecryptographicreceiptisgeneratedusingthecut-and-choosemethod,similartothemethodusedinourprotocol.ForsomepotentialsecurityrisksrelatedtothisprotocolorPret-a-VoterwhenconsideredasacompletesystemseetheanalysiscarriedoutbyKarlofetal.[ 81 ]. 5.2.1Vector-BallotApproachbyKiaiyasandYung Thisprotocoldoesnotassumevotingisdoneinavotingbooth,butitcanbereadilyusedwiththatassumption.Thisassumptionwouldalsomaketheprotocolcoercion-resistant,withouttheneedforrandomizers[ 25 ]whichtheauthorsmentionedasanotherpossiblesolution.Themainnewideaisthesupportofwrite-invotes.Tothisendtheauthorsproposeacomposedballot{thesocalled`vectorballot.'Sinceeitheronlyapre-listedcandidateoronlythewrite-inpartshouldbeusedbyeachvote,awaytoinsureballotvalidityandregularityisrequired.Thisissolvedusing`provablyconsistentvectorballotencodings.'Thetwodierenttypeofvoteswillbetallieddierently,theregularvotesusinghomomorphicencryption(thereforeeciently),andthewrite-invotesbymix-nets.Thedetailsofthisprotocolwasgiveninthepreviouschapter,sothereaderissuggestedtoreviewthatdescriptionbeforecontinuing. 5.2.2Pret-a-Voter Asourconstructionforthewrite-inballotsborrowscloselyfromthePret-a-VoterprotocolinventedbyChaum,wegiveadetaileddescriptionofthesystem,buildingontheshorterdescriptiongiveninSection 4.4.4 90

PAGE 91

5.2.2.1Introduction ThisprotocolisapracticalimprovementonChaum'simagebasedprotocol[ 71 ],andisbasedonanideafrom[ 151 ].Oneofthekeypointsofthisprotocolisthatthevotingdeviceneverlearnstheintendedvote,therebyeliminatingseveralsecurityrisksdirectly.Thepre-preparedballotshavewhatiscalledanonion,whichisanencryptedformoftheorderthecandidatesarelisted.Theuserselectshiscandidatefromashuedlist,marksitinthevotingbooth,andonhiswayout,dropspartoftheballotintothevotingbox.Thispartdoesnothavethecandidatelist,soanymaliciousentitytryingtouseitwithoutdecryptingtheonionwouldnotbeabletogetfar,asitwouldbeimpossibletoknowforwhichcandidatethevoteisfor.Theselectedcandidatecanonlybeseenaftertheencryptionisopened-whichhappensafterananonymizingstep.Thepartoftheballotthatthevoterkeepsisusedasareceipt-itcannotbeusedtoprovewhichcandidatewasselected,butitcanbeusedtoverifythatthecorrectencryptedvotewassubmittedtotheserver.Themainissuewiththisapproachistheextensiveneedforsettinguptheballotsandtheimpliedcomplexity,whichcausesanincreaseofpotentialpitfallsandadecreaseinperceivedsecurityof(andbyextensiontrustto)thesystem. 5.2.2.2Overview Theballotsinthisprotocolconsistsoftwoseparableparts.Onepartwillhavearandomlyorderedlistofthecandidates.Theotherpartwillhavethesocalledonion,whichcanbeusedtoreconstructtheordering.Thissecondpartisalsowherethevotermarkshischoice.Theseballotswillbedistributedbeforetheelectionstarts,andtheywillberandomlyauditedforcorrectness.Inthevotingbooth,thevoterwillseparatethetwopartsoftheballot,andfeedthepartwhichhastheonionintothevotingmachine.Sincethevotingmachinewillnotseetheordering,itwillnotknowwhichcandidatethevoterisvotingfor. Asthesecurityoftheelectionwoulddependonthecorrectnessoftheballots,auditingtheballotsbeforetheelectionisanintegralpartofthisprotocol.Thereare 91

PAGE 92

severaldierentchecksforcorrectballotconstruction,eachwithadierentlevelofthoroughness.Hereisalistandbriefdescriptions: SingleDummyVote:HereAnnejustcastsadummyvote,andsendsthereceipttothetellers.ThetellersopenthevoteandinformAnneoftheapparentvote. MultipleorRankedDummyVote:Thisisverysimilartothepreviousonerepeatedseveraltimesinsuccession. Giventheonionvaluethetellersreturnthecandidateordering Returntheseed,andrunthecheckingalgorithmtoseeifitiswell-formed:Unliketherstthreechecks,thisoneisnotreadilyvulnerabletocollusionattacks.Thismode4checkisdescribedindetailinthepaper,butoneassumptionthatismadethatstrengthensthisauditisthattheonionfunctionisbijective. Oncetheballotiscast,thevotingdevicesubmitsthevote(sameasthereceipt)tothebulletinboard.Thetellersthenstarttoprocessthevotes,bydecryptingtheirpart.Attheendtheplainvoteswillbepublished,butthelinkstotheinitialreceiptswillbelost. Checkingthatthevoterecordingdevicesworkcorrectlyisdonemostlybythevoters,whocanverifyiftheirreceiptsarepostedonthebulletinboard.Itshouldalsobecheckedthatnoextravoteiscast,whichcanbedonebycomparingthecountsand/orbyuseofdigitalsignatures.Checkingonthetellersiftheyperformedthemixcorrectlyisdonebyrandomlypickingeithertheincomingoroutgoingedgeforeachvoteandaskingthetellertoverifycorrectness.Sinceeachtellerperformstwomixes,thisdoesnotcompromiseprivacy. 5.2.2.3Set-up Theauthoritycreatesalargeamountofballots,wherethecandidatesarelistedinaxedorder(butstartingatarandomindex)ontheleftsideandwithspaceforthevotertomarkhischoiceontherightside.Therightsidealsocontainsthesocalledonion,forwhichthedetailswillbeexplainedlater.Theseballotsaredistributedandsomerandomaudits(whichwerebrieyexplainedintheprevioussection)canbeperformedtomakesureoftheircorrectnessandsecurity. 92

PAGE 93

5.2.2.4Ballotconstruction Foreachballot,theauthoritygeneratesaseed,acombination(concatenation)of2kvalues(assumingktellers),whichwillbecalled`germs'andrepresentedasgi.Theseedwillnowbeasequenceofthesegerms,soseed=g0,g1,g2,...,g2k)]TJ /F4 7.97 Tf 6.59 0 Td[(1Theosetwillthenbecalculatedfori=0,1,2,...,2k)]TJ /F1 11.955 Tf 11.96 0 Td[(1asdi:=hash(gi)(modv) Thecyclicosetisthencalculatedbytakingthehashvaluesofthesegermsandaddingthemandnallytakingthemodulov-wherevisthenumberofcandidates.So:=2k)]TJ /F4 7.97 Tf 6.58 0 Td[(1i=0di(modv)Also,tobeusedinthenextphase,eachtellergeneratestwoprivate-publickeypairs. Now,thersttellertakestherstgerm,appendsarandomvalueandencryptsitusinghisrstpublickey.Hethenprependsthesecondgermtothisandencryptsitagain-thistimeusingthesecondpublickey.Afterwards,hesendstheresulttothenextteller.Alltellers(inapredeterminedorder)repeatthisprocess,andthenalresultistheonion.Sotheonioncanbegivenbyfg2k)]TJ /F4 7.97 Tf 6.59 0 Td[(1,fg2k)]TJ /F4 7.97 Tf 6.59 0 Td[(2,...,fg1,fg0,D0gPKT0gPKT1...gPKT2k)]TJ /F10 5.978 Tf 5.76 0 Td[(2gPKT2k)]TJ /F10 5.978 Tf 5.76 0 Td[(1 OritcanbegivenastheequationsDi+1:=fgi,DigPKTiOnion:=D2k 93

PAGE 94

5.2.2.5Tallying Onthebulletinboard,therstcolumnwillbeexactlyliketheprintedreceiptsheldbythevoters:anonionvaluewiththeselectedcandidatessecretindex(Di)andtheorderoftheselectedvoteintheorderinggiven(butencrypted/encoded)bytheonion(ri).Thissamecolumnisnowpassedtotherstteller.Now,eachteller,takingtheprevious(D,r)pairappliesthefollowingprocedure: 1. Applyitsrstprivatekeytogetthegermandtheonion:g2i)]TJ /F4 7.97 Tf 6.59 0 Td[(1,D2i)]TJ /F4 7.97 Tf 6.59 0 Td[(1=fD2igSKT2i)]TJ /F10 5.978 Tf 5.76 0 Td[(1 2. Applythehashfunctiontothegermvaluetogetd2i)]TJ /F4 7.97 Tf 6.58 0 Td[(1=hash(g2i)]TJ /F4 7.97 Tf 6.59 0 Td[(1)(modv) 3. Getthenewrvaluebyr2i)]TJ /F4 7.97 Tf 6.59 0 Td[(1=r2i)]TJ /F1 11.955 Tf 11.96 0 Td[(d2i)]TJ /F4 7.97 Tf 6.58 0 Td[(1(modv). Afterhavingcompletedthisprocedurewithallpairs,thetellerappliesasecretpermutationandpoststheresulting(D,r)pairstothemiddlecolumn.Thetellernowrepeatsthesameprocess(includingtheprocedure,shuingandposting)to(D2i)]TJ /F4 7.97 Tf 6.59 0 Td[(1,r2i)]TJ /F4 7.97 Tf 6.58 0 Td[(1),resultinginthepairs(D2i)]TJ /F4 7.97 Tf 6.58 0 Td[(2,r2i)]TJ /F4 7.97 Tf 6.58 0 Td[(2),whichwillbepostedtothelastcolumn.Thenalpairwillbearepresentationofadecryptedvotesothateverybodycanseethenalresults. 5.2.2.6Securitychecks Toinsuretheauthenticityoftheballotsoneormoreofthefollowingchecksshouldbeapplied: CheckingtheAuthority:Themainmethodtochecktheauditorsistocheckthecorrectnessofsomeballotsbeforetheelection. CheckingtheVotingDevices:Thisismainlydonebythevoters,whocheckthebulletinboardtoconrmthattheirreceiptsappearcorrectly. CheckingtheTellers:Eachtellerwillbeauditedbyanauthority,whowilltakethemiddlecolumnandchallengethetellertoproducetheincomingoroutgoinglinkrandomly.Thismakessurethatthelikelihoodofanymis-transformationisverylowwhileretainingthesecretpermutation,thankstothetwostepshueperformedbyeachteller.FordetailsseeSection 5.2.2.7 94

PAGE 95

5.2.2.7Checkingtheteller Foreachteller,theauditorgoestothemiddlecolumn(therstcolumnbeingtheinput,thelasttheoutputandthemiddlecolumnbeingahalf-completedmix,i.e.,onlyoneofthetwomixesisdonebythatteller)andassignsRorLtoeach(r,D)pair.ForeachRthetellerprovesthecorrectnessofthesecondmix(orshue)andforeachLtherststep.Thisisdonebythetellergivingthegermvaluegi.Asri)]TJ /F4 7.97 Tf 6.59 0 Td[(1andDi)]TJ /F4 7.97 Tf 6.58 0 Td[(1aswellasriandDiarealreadypublished,theauditorcancheckthatDi=fgi)]TJ /F4 7.97 Tf 6.58 0 Td[(1,Di)]TJ /F4 7.97 Tf 6.59 0 Td[(1gPKTi)]TJ /F10 5.978 Tf 5.76 0 Td[(1andri)]TJ /F4 7.97 Tf 6.59 0 Td[(1=ri)]TJ /F1 11.955 Tf 11.95 0 Td[(hash(gi)]TJ /F4 7.97 Tf 6.59 0 Td[(1)(modv). Toconcludethissection,weagainpointoutthatneitherofthesesystemssupportwrite-inballotswhilepreservingthereceipt-freenessandveriabilityrequirementsinapracticalmanner.Inthenextsectionwedescribeourproposedprotocolthatwillgiveanotablesolutiontothisproblem. 5.3OurContribution:SupportingWrite-inBallots Inthissectionwegivethedescriptionofourproposedprotocolforsupportingwrite-inballotsinhomomorphicencryptionbasedvotingprotocols.Thedetailsandasampleprotocolconstructedusingtheprotocoldescribedinthepreviouschapterwillbegiveninthefollowingsections. Thebasicideaofourprotocolistohaveballotswithtwoparts:oneforpredeterminedandoneforwrite-incandidates.Afterinsuringthatnoballotisusingbothpartsatthesametime,theballotpartswillbeseparated.Therstpartwillbetalliedusinghomomorphicencryptionandthewrite-inpartwillbetallieddierently.Thewrite-inpartwillbeencodedduringthecastingphaseusingadierentandarbitrarypermutationofeachletter.Thepermutationwillbeencryptedusingamix-net.Thesamemix-netwilldecryptthepermutation,andarriveattheplaintextwrite-incandidatename.Duringthemix-net,thelinkbetweentheencryptedandplaintextvoteswillalsohavebeenlost. 95

PAGE 96

5.3.1Setup Thewrite-inballotformswillbepreparedandprintedbeforetheelection.Theywillbedistributedtothevotingbooths,butcaremustbetakenthatonlyocialonesareactuallyinthebooth.Randomlysamplingtheseballotsandcheckingtheirconstructionshouldbepartofthesecuritymeasurestaken[ 71 ].Theballotsthemselveswillbeconsistingof4parts.Themainpartwillbeagridofkl,wherekisthesizeoftherequiredalphabet(probablytheEnglishalphabetalongwithspecialcharacterslikespaceandpunctuationmarks),andlisthemaximumnumberofcharactersawrite-innamecancontain.Thegridwillbelledwithsymbolsfromthealphabet,suchthateachcolumnwillhaveeachsymbolexactlyonce,inarandomorder.Thetopofthegridwillhavelboxes,alignedwiththecolumns,forthenameofthechosencandidate,andwillbemainlyusedtofacilitateconstructingtheciphertext.Theleftpartwillconsistofthealphabet,inorder,andalignedwiththerows.Thisalsoisforaidingthevoterinconstructingtheciphertext.Atthebottomwillbeadetachablepart,consistingoflalignedboxesfortheciphertext,alongwiththeonion,whichwillbeexplainedindetaillater.Ineecttheformwillbeaone-timepad,andthevoterwillneedtomaketheencryption.Thiswillarguablybetoocomplicatedformanyvoters,butwithacleardesignandeasytofollowinstructions,themajorityofvotersshouldbeabletodoitwithinaminute.Consideringthefactthatmostvotersdonotusethewrite-inpart,thisshouldnotbetooseriousaconcern. InFigure 5-1 thesampleballotshowshowavoterwishingtovoteforcandidate\BOB"wouldworkouttheciphertext.Thelowerpartthatwillbefedtothedeviceiswherethestring(ciphertext)\DLK"andtheonionappears. 5.3.2Participants Theparticipantsinthisprotocolarethesameastheoneswedescribedinthepreviouschapter: BB:Thepublic`read-only'bulletinboard 96

PAGE 97

Figure5-1. Samplewrite-inballot VD:Thevotingdevice V:Thevoter Ai:Theauthorities 5.3.3ProtocolOverview Setup.Usingathresholdhomomorphicencryptionfunction(forexamplePaillier),theauthoritiesA1,...,AmgeneratetheirsecretsharesandalsopublishthepublickeytotheBB. 97

PAGE 98

Casting.Afterthevotergetsintothevotingbooth,VDpresentsadngridtothevoter,wheredisasecurityparameter.Eachrowcontains(inrandomorder)allofthecandidates,pluspossiblyoneforabstainingandonefor`write-in's.Ifthevoterrequests,VDgeneratesanothergridwiththesameproperties.Thispreventsaforced-abstentionattack[ 114 ],i.e.,preventstheCoercertoaskthevotertovoteforaspecicrowandcolumntherebyeectivelyrandomizinghisvote.(Thisattackwasnotmentionedin[ 126 ])Oncethevoterconrmsthatheissatisedwiththematrix,heconrmsandwaitsfortheVDtoprintacryptographiccommitmenttothegrid.Thesecommitmentsessentiallyfollowthesamelinesas[ 126 ],andinsureswithd)]TJ /F4 7.97 Tf 6.59 0 Td[(1 dprobabilitythatthevotewillbecastasintended.Thevoterthenselectshischoice,afterwhichVDopensalltheunchosenrows,andalsoprintsthechosenrowandcolumn. Atthispointoneimportantpracticalweaknessisapparent.Asinsomesimilarsystems[ 72 ],thevoterneedstomakesurethatwhileselectinghischoicetheVDdoesnotchangetheunselectedrows,whichwouldbecausedbytheVDtryingtocheat(althoughitmightormightnothavesucceeded,dependingonwhethertheselectedrowwaschangedaswell).Butnodefenseagainstthiswasmentionedinpreviouspublications,althoughtheriskofsimilarpossibleattackswerementioned[ 126 ].Onepossiblewaytocircumventthisattackis(withaminorcostofsomeinconveniencetothevoter)toletthevoterdeselecteachnon-chosenrow,ratherthanselectingthedesiredrow.Thiswillmakeitpossibletofocusonthecorrectnessofallrows,soacheatingVDwillbecaughtwiththetheoreticallycalculatedprobability. Ifthevoterdecidedtovoteforawrite-incandidate,hellsoutawrite-inballot,removesthetoppartanddiscardsit,thensubmitsthelowerpartwiththeencryptednameandoniontotheVD.InthatcasetheencryptednamewillbesubmittedtotheBBasgiven,otherwiseitwillbeanencryption(withthepublickeyoftheAuthorities)of0. BallotSubmission.OncetheVDhasthevoter'schoice,heformsthevectorballotsasdescribedin[ 52 ],andpublishesthemtotheBBalongwiththezero-knowledgeproofs. 98

PAGE 99

Tallying.Therstcomponentoftheballots-i.e.,thepre-listedcandidatepart-istalliedbyaddingtheciphertexts,whichwillbedecryptedafterwardsbytheauthoritiesusingtheirsecretkeyshares.Thewrite-inpartswillbeopened(The\shrink-and-mix"methoddevisedin[ 52 ]canbeapplied1rsttoimproveeciency,butitwillbeignoredhere)anddecryptedusingaspecialmix-net. 5.3.4VectorBallots Theinitialballotswillcontainboththepre-listedcandidateportionandwrite-inportion.Theywillconsistof3separateparts: Pre-ListedCandidateportion.Thispartwillconsistofanencryptionofeither0,orofoneofthechoicesf1,M,M2,...,Mng,whereMisanumberlargerthanthenumberofpotentialvoters.(See[ 52 ]foramoreecientmethod.) Flag.Thiswillbeanencryptionof0ifapre-determinedcandidateischosen,1ifawrite-incandidateischosen. Write-Inportion.Thiswillbeasecretpermutationofthechosenwrite-incandidate,oranencryptionof0ifapre-listedcandidateischosen.Ratherthan0,alongerstringintheformof0lmightneedtobeusedtohavethetwotypesofencryptionhavethesamelengthandbeindistinguishable. Notethattheuseof0ltohidethelengthoftheencryptionseemstopreventtheshrink-and-mixmethodtowork.However,thereisawayaroundthisproblem.Ifweuseaxednon-zeronumber,S,wecanjustcomparethesumofthewrite-inportionforeachbatchtobS,ratherthan0,toseeifanyofthewrite-inpartsareactuallyused. Apartfromthewrite-incandidate'sname(ifany),allencryptionswillbedoneusingtheAuthorities'publickey.Foreachpostedballot,theVDwillpublishazero-knowledgeproof,showingthatatleastoneofthefollowingistrue: 1Thefactthatthewrite-inballotsarenotencryptedwiththeauthorities'publickeywhentheyareuseddoesnotpreventthemethodtowork,asthesearenotopenedintheoriginalsystemeither.Theonlyrequirementsforthismethodarethattheagsencrypt0'sand1'saccordingtowhichpartoftheballotisusedandthatthewrite-inpartsencrypt0withtheauthorities'keywhenitisnotused.Bothoftheserequirementsaresatisedinourprotocolaswell. 99

PAGE 100

Therstpartisanencryptionof0andthesecondpartisanencryptionof1 Therstpartisanencryptionofanelementfromthegivensetofchoices,theothertwopartsareanencryptionof0 Onepointthatneedstobeemphasizedisthefactthatthewrite-incandidate(ifchosen)isnotreallyencryptedwiththepublickeyoftheAuthorities.Butasonecanseefromtheabovelist,theonlycasewherethatpartisrelevantiswhenitissupposedtobeanencryptionof0,sothisdoesnotpresentitselfasaproblem.Sothezero-knowledgeproofisexactlythesameasproposedbyKiayiasandYung,hencedetailscanbefoundin[ 52 ]. 5.3.5Pre-ListedCandidates Oncetheelectionisnishedandthezero-knowledgeproofsareveried,thetallyingphasestarts.Sinceatthispointithasbeenveriedthatatmostonepartoftheballotisused,onecansafelyseparatetheballotsintotwoparts: Thepre-listedcandidates,asrepresentedbythesetofchoices Theagandthewrite-inpartportion.Theagmaybenecessaryfortheshrinkphasethatwillgetridofsomeemptywrite-invotes(thosewillhavebeenvotedforapre-determinedcandidateandtheirvotewillbecountedusinghomomorphicencryption). Countingtherstpartwillbestraightforward,thankstothehomomorphismproperty.Eachvotewillbeadded,andtheresultingciphertextwillbedecryptedbytheAuthorities,usingtheirsecretshares.Notethatballotsforwhichwrite-incandidateswerechosen,willnotaectthiscount.Whenthisstepisnished,dependingontheelectionprocedure,theresultscanbeannouncedunocially(ifitcanbededucedthattheremainingwrite-invoteswillnotaecttheresult),ortheresultsfromthewrite-inpartswillbewaitedfor. 5.4Write-inBallotDetails Wealreadyexplainedthewaythewrite-inballotisconstructedasitwouldappearintheperspectiveofthevoter.Tounderstandtheunderlyingideaofthisconstruction,andrealizehowitwouldfacilitatevotingforawrite-incandidatesecurelyandprivately,considerChaum'sconstructionoftheonions.Theuseofgermsworkedasasimple 100

PAGE 101

permutation(actuallyjustanoset,butinprinciplecanbeconsideredapermutation,andinourcasetheanalogousconstructionwillbeapermutation),andastheballotistransferredfromtellertoteller,thispermutationwascombinedwithotherpermutations,attheendgettingthenalpermutation,whichisusedtoconstructtheactualvoteusingtheindex.Notethattechnically,eachtellercouldhaveshiftedtheindex,ratherthantransformingthepermutation(Obviouslytheshiftwouldhavebeentheinverseofthepermutation).Thisobservationwillbethekeyideainourconstruction. 5.4.1BallotConstruction EachtellerTjgenerates2lrandomnumbersrifromaeldofsize2h,forwhich2h>s!holds,wheresisthealphabetsize.Soforanalphabetofsize30,h=72shouldbesucient.Eachofthesenumberswillmaptoaspecicpermutationoflettersbyapre-determinedalgorithm.Notethatthissizecanbereducedbyhavingapartialsetofpermutationstochosefrom.Thecompositionofthesepermutationswillformtheactualpermutationusedintheballot.(UnlikeinChaum'sprotocol,theuseofhashvaluesratherthanriisnotreallynecessary,astheguessingattackswouldnotbefeasiblehere.)ThewaytheonionandthenalpermutationwillbeconstructedbythesameformulagivenbyChaum: Di+1:=fri,DigPKTiOnion:=D2k Ineectthiswillbedoneforeachofthelletters,andeachD0willbearandomnumber.Tomakethisideaworkinourscheme,wealsoneedtoaddacontrolstring(eitheraspecicpredeterminedstringorachecksumwouldwork)ofsomepre-determinedlengthc.Thereasonforthisisthefactthatthemixwillstartnotonlywiththeactualwrite-invotes,butalsowiththe0encryptionsfromvoterswhovotedforapre-determined 101

PAGE 102

candidate.Aseachgermisopenedbythetellers,ifthiscontrolstringdoesnotmatch,thepair(i.eonionandciphertext,whichareactuallyinonestring)isdiscarded.Iftherearektellerseachperforming2mixes,theprobabilitythatanencryptionof0willnotbediscardedis2)]TJ /F4 7.97 Tf 6.58 0 Td[(dk.Soincreasingdsucientlywillreducethistoalmostzero.Notethatevenifsuchastringisnotdiscarded,itwilljustbearandomstringafterdecryption,notinterferingwiththeelectionresults.Notealsothatthelastteller(ortherstonewhendecrypting)shouldnothavethischeck,asthatwillmakethetellerabletoconcludethatavotewasnotforawrite-inwith1)]TJ /F1 11.955 Tf 11.95 0 Td[(2)]TJ /F4 7.97 Tf 6.58 0 Td[(dprobability. 5.4.2OpeningBallots Toextractthewrite-invote,foreachballot,eachTellerwillperformthefollowingactionsforeachletter: OpenD2i+2,togetr2i+1.Iftheredundantstringdoesnotcheck,discardthepair,otherwiseapplytheinversetransformationspeciedr2i+1toC2i+2,whichistheciphertext,C2kbeingthetextenteredbythevoter.Mixtheballots.SubmittheresultingballotstotheBB. Repeatthesameprocessoncemore.TheresultingballotswillbethestartingpointofthenextTeller. 5.4.3Auditing SinceeachTellerperformedtwomixes,foreachballotinthemiddlecolumn,eithertheincomingortheoutgoinglinkwillbechosen,whichtheTellerwillverifybyrevealingthelinkandtherelevantrandomnumber.AsinChaum'sprotocol[ 71 ],theuseoftwomixesinsuresanonymity. 5.4.4ProofsofKnowledge Severaltypesofzero-knowledgeproofsareprovidedin[ 25 ].Howtogetazero-knowledgeproofforthevector-ballotisexplainedin 2.7 .Theauditingphaserequiresthetellerstoprovecorrectshuinganddecryption,whichwasdemonstratedin[ 71 ].Theideaisforthetellertorevealthegermvalueandshowthatitsatisesthenecessary 102

PAGE 103

constraints.Thesamemethodwillbeusedinourprotocol.Foralldroppedpairs,germswhichdonotsatisfytheredundantstringchecksarerevealedanddemonstrated. 5.4.4.1Proofofknowledgeforthemixingphase Recallthatateachstepofthemix,theauditorselectsanRorLforeach(r,D)pair.FortheRthemixerwillneedtodemonstratethegivaluethatwasused.TheauditorthenchecksifDi=fgi)]TJ /F4 7.97 Tf 6.59 0 Td[(1,Di)]TJ /F4 7.97 Tf 6.58 0 Td[(1gPKTi)]TJ /F10 5.978 Tf 5.75 0 Td[(1.Forthemixertocheatwithoutriskingbeingcaught,hewillneedtondag0i)]TJ /F4 7.97 Tf 6.59 0 Td[(1suchthatDi=fg0i)]TJ /F4 7.97 Tf 6.58 0 Td[(1,Di)]TJ /F4 7.97 Tf 6.59 0 Td[(1gPKTi)]TJ /F10 5.978 Tf 5.76 0 Td[(1holdsaswell.Thatinturnrequiresthemixertoaccomplishgeneratingtwonumbersgi)]TJ /F4 7.97 Tf 6.58 0 Td[(1andg0i)]TJ /F4 7.97 Tf 6.58 0 Td[(1,suchthattheirconcatenationtoarandomstringresultsinthesameciphertext.Firstofall,thereisevennoguaranteethatthereexistssuchtwonumbersforagivenstring.Also,evenwiththeprivatekeythiswouldnotbesolvable.Furthermore,withoutthepublickey,thiswouldrequirethemixertosolvethefollowingproblem: ForagivenS,ndapair(m,m0)andapair(r,r0),suchthatgm+Srn=gm0+Sr0n(modn2) SincethegStermcanbecanceledout,thiswouldrequirethemixertondtwopairssuchthatgm)]TJ /F4 7.97 Tf 6.58 0 Td[(m0=(r0 r)n(modn2) Notethatthisequationcanbesolvedonlybyeitherndingthenthrootofagivennumber,orbyndingthediscretelogofagivennumber.Sothemixerwillneedtobeabletodooneoftheseoperations,bothofwhichareassumedtobeinfeasible. 103

PAGE 104

5.4.4.2Probabilityofacheatingmixerbeingcaught Tocheatbycorruptingoneofthetballots2,themixerneedstoguesswhichofthetwomixeshewillbeaskedtopublish,whichgivesa1 2probabilityofbeingcaught.Tocheatbycorruptingcvotes,themixerwillneedtomakeacorrectguessforallc,whichgivesa1 2cprobability.Soforc=10,theprobabilityofcorruptingcvotesdropsbelow1in1000. 5.5SampleProtocol Inthissectionweimprovetheprotocolproposedinthepreviouschapterbyincludingthewrite-inballotconstructionexplainedintheprevioussection.Asthewrite-inprotocolenhancementisagenericone,thiswillalsodemonstratehowitcanbeembeddedintoahomomorphicencryption-basedsystem.Theparticipantsandregistrationphasesarethesameasbefore,sowewilldetailthevotingandtallyingphases. 5.5.1Voting 1. VDdisplaysandmatrix,wheredisasecurityparameter(wherealargedincreasessecuritybutmightlowerusability),andnisthenumberofcandidatesplusageneric`write-in',andapossibleabstain.Eachrowinthismatrixconsistofthesecandidatesinarandomorder.Beforesubmittingthevote,ifthevoterrequests,VDgeneratesanothergridwiththesameproperties. 2. VDnowgeneratesrandomnumbersrndandprintscommitmentsc(x,y)foreachcellinthematrix,toensurethattheVDcannotchangethecontentofacellinthecandidatematrix.miwillbe0forthewrite-incandidate,sothatc(x,y)willbejustthenthpowerofarandomnumber,rnx,y(modn2).ThesecommitmentsarealsosenttoBB,wheretheywillbepubliclyveriable. 3. Atthisstage,thevoterdecidesonhiscandidate,andatthatpointtherearetwocases: (a) Ifthevoterdecidestovoteforapredeterminedcandidate,Vrstrandomlyselectsarow,andthensubmitshischosenrowandcolumn(andthereby 2Notethatthemixerdoesnotknowhowtoopentheremaininggerms,sohecannotchangethevotetosomespeciccandidate,unlessheisthelastmixerinthedecryptionprocess. 104

PAGE 105

candidate).VDprintsthepaperballot,andaddsarandomizedre-encryptionofthesamevotebymultiplyingc(x,y)withanewrandomnumberr0x,y.Thisre-encryptionwillbeusedforauditingpurposes.VDthenwaitsforaconrmation.Vinspectsthepaperballot,andiftheballotshowshischosencandidateconrmstheballots.AftertheconrmationfromV,VDdepositsthepaperballotintotheballotbox. (b) Ifthevoterdecidedtovoteforawrite-incandidate,hellsoutawrite-inballot,removesthetoppartanddiscardsit,thensubmitsthelowerpartwiththeencryptednameandoniontotheVD.InthatcasetheencryptednamewillbesubmittedtotheBBasgiven,otherwiseitwillbeanencryption(withthepublickeyoftheAuthorities)of0. 4. VDthenopensthecommitmentsforunchosenrowsbyprintingtherandomorderofthecandidatesalongwiththerandomnumbersusedforthecommitment(andencryption)onthepaperreceipt.Italsoprintsthelocationoftheselectedcell(therowandcolumnnumbers),butnotthenameofthecandidateinthatcell.VDnallyaddsasignatureofthecontentofthereceiptattheendofthereceipt,toinsuretheauthenticityofthereceipt.ThesamedataisalsosenttoBB. 5. Finally,VDsendstheencryptedvotec(x,y)forthechosencell(x,y)totheBBfortallyingpurposes.c(x,y)canbecomparedtothereceiptontheBB,socheatingatthisstepisnotpossible. 6. Attheendofthevotingsession,VDsendsthelistofthere-encryptedvotestotheBB.Italsoaddsazero-knowledgeproofthatshowsthesumofthesevotesandthesumoftheprimaryvotesareequal,i.e.,theproductofbothsetsofencryptionsareequal.ThedetailsforthisisgiveninSection 4.5.1.5 5.5.2Tallying Thisstagehastwoseparatecomponents.Therstoneisthetallyingofpredeterminedcandidates,whichwillworkjustasexplainedinSection 4.5.1.6 .Thesecondcomponentontheotherhandisforthewrite-inballots.ThispartwillbehandledasdetailedinSection 5.4.2 .Inshort,thetwoparticularwaysofvotingarealreadyseparatedattheendofthevotingphase,andduringthetallyingphasethesetwoarenotaectedbyeachother{otherthanaddingupthenaltalliesattheveryend. 105

PAGE 106

5.6ProtocolAnalysis 5.6.1Receipt-Freeness Thepre-listedcandidateswillbelistedinarandomorder,andtheselectedrowwillnotbeopenedatall,sotherewillbenowayfortheVotertoprovehisvote.Forthewrite-inpart,ifaCoercercangetavalidandauthenticballotbeforetheelection,hecanforcethevotertouseitandensurethatthewrite-inselectionwillbehischoice(thesamevulnerabilityalsoseemstoexistinPret-a-Voter).Thepreventionliesinnotmakingtheballotformsavailablebeforethevoting-booth,exceptforauditors.Anotherpotentialsecurityriskisthedestructionoftheupperpartoftheballot,asthisincombinationwiththereceiptcanbeusedasaproofforthenameofthewrite-inselection.Thereisanotherratherseriouspotentialsecurityrisk,whichisalwayspresentinanyprotocolsupportingwrite-invotes,whetherbasedonelectronicorpaperballots.Atypeofforcedabstentionattackcanbeusedasfollows.Thecoercercanaskthevotertovoteforawrite-incandidatewithaarbitrarilychosenstringlike`aaabbbccc',therebyinsuringthatthevotewillineectbeequivalenttoanabstain.Onedefenseagainstsuchanattackistosetaminimumforthenumberofvotesneededforawrite-incandidatetobeincludedintheocialannouncementoftheresults.Forexample,onecansetthisminimumtove,andwhenthetallyiscalculatedandcontainsonevotefor`aaabbbccc',itwillnotbemadepublic.Thismethodwillgreatlyreducethepossibilityofusingthisattack. 5.6.2Votecastasintended Forthepre-determinedlistofcandidates,thevoterisconvincedwithd)]TJ /F4 7.97 Tf 6.58 0 Td[(1 dprobabilitythatthevoteiscastasintended.Butwith1 dprobabilitythevotingdevicecanchangethevotetoanothercandidate.Stillwithasucientlylarged,cheatingseveraltimeswithoutgettingcaughtishighlyunlikely.Ofcoursehavingafairrecoverystrategyisstillofgreatimportance.Sincetheencryptionforthewrite-inpartisveried,theonlypossibilityforchangingthevoteremainsintrickingthevotertousenon-authenticballots.Chaumhassomedefenseslistedagainstthisattackin[ 71 ],whichwouldworkinourprotocolaswell. 106

PAGE 107

Thepaperballotsontheotherhandwillhavebeenreviewedbythevoter,sohewillbeconvinceditiscorrect.Satisfyingcorrectnessthiswayinturnwillimplyconsistency. 5.6.3Authority-VotingDeviceCollusion Thisisthemostseriousproblemwithourprotocol,asusuallythesystemsrepresentingtheauthorityandthevotingdevicewillbedesignedbythesameentity.Howeverthesameappliesforalmostalle-votingsystemsinusetoday,andourproposalhasatleastsomecountersagainstit-forexamplethefactthatthevotingdeviceneverlearnsthewrite-invote.Also,lessthankoftheauthoritiescolludingwillnotbesucient,astheirpartofthekeyalonewillnotbeusefulforanypurpose.Morethankauthoritiescolludingwillbeaveryseriousissue,especiallywithVDcollusions,howeverwehavetoassumethatthelikelihoodofhavingkmaliciousauthorities,thatwereselectedbecausetheyaretrustedentitiesorgovernment/localocials,isalmostnon-existent. 5.6.4Coercer-VotingDeviceCollusion OnoftheweaknessesofelectronicvotingprotocolsisthedicultyofdefendingagainstthecollusionofaCoercerandtheVotingDevice.Althoughtheprotocolswementionedpreventthechangingofvotes,mostofthemhaveonlylimiteddefensestoprotectvoteranonymity.SincePret-a-Voterdoesnotletthevotingdeviceknowtheselectedcandidate,thisisnotaproblem,buttheotherschemesdonothavesucientprotection.IftheVotingDevicecaneitherduringtheelectionorafterwardssubmittherecordstotheCoercer,privacycaneasilybeinvaded.Evenphysicalsecurityagainstthismightnotbesucient,assubliminalrandomchannelsmightconveythenecessaryinformationrathereasily[ 81 ].Unfortunatelylikeallproposedprotocolstodateourprotocoldoesnothaveanyadditionaldefensetothisattackeither. 5.6.5DenialofServiceAttacks DenialofServiceattacksarealsoapossibilityinmostelectronicvotingsystems.Preventingtheseseemstobesolvedbyearlydetectionandrecovery,whichmakesitfragile 107

PAGE 108

andnecessaryforverythoroughrecoveryprocedureplanning.Again,oursystemdoesnothaveanyadditionaldefensesagainstthesetypesofattacks. 5.6.6Electionprocedurestoimprovesecurity Oneproblemthatneedstobeaddressedinourprotocolistheissueofwrite-inballotdistribution.Ifthesearedistributedfreelyandearlysothatvariousauditsandcheckscanbemade,itwillincreasethepossibilityofcoercion.Butwithoutanyauditsthecorrectnessofthesewillbeanevenmorepressingproblem.Sotheprocedurestobefollowedforthispurposemustbecarefullyexaminedandweighedagainstthesepotentialproblems. 5.7Conclusion Wehavepresentedahomomorphicencryptionbasedvotingprotocolthatsupportswrite-inballotsandvoter-verication.Votervericationhasbeenlatelyconsideredoneofthekeyrequirementsforavotingprotocoltobeusedinimportantelections,whilesupportingwrite-inballotsisstilloneofthefocalpointsforresearchers.TheprotocolisdesignedtobeusedwithDREsystemsinsidevotingbooths.Itiscoercion-freeiftheusualassumptionsaresatised.Alongwithsimplifyingtheseassumptions,somefurtherresearchdirectionrelatedtothisprotocolwecurrentlypursueare:thesimplifyingoftheoverallsystem{boththeunderlyingprotocolanditseaseofusetothevoter,improvingitseciencyandaddressingtheaforementionedDoSandcollisionattacks. Wedonotdenythedicultyofdeployingthisprotocolinpractice,especiallybecausellingthewrite-inballotwouldseemtoberathercomplicatedatrstsight,whichmaycausevoterstoavoidusingit.However,wealsobelievethatitispossiblefortheproposedprotocoltobemademuchmorepracticalwithsomesimpledesignmodications.Forexampleoneideathatwouldmakellingthewrite-inballotsmuchmoresimpliedistousepreparedmasks(templates)fordesiredcandidates.Thesecanbedistributedbycandidates,orsimpleprogramsthatwouldpreparemasksforrequestednamescanbe 108

PAGE 109

madeavailable.Ofcoursethesecurityimplicationsofanysuchuseofpreparedmaskswillneedtobecarefullyexamined. 109

PAGE 110

CHAPTER6CONCLUSION Cryptographicprotocolsareatthecenterofmostinformationsecurityrelatedproblemsarisinginourage.Theirapplicationshaveawidespectrum,buttheymostlyusesimilartechniques.Thekeytodesigningagoodcryptographicprotocolistoseparatetherequirementsthatwillbehandledintheimplementationwiththerequirementsthatwillbehandledinthedesignandtoanalyzethesecurityoftheprotocolcarefully,especiallyconsideringthatcombiningtwosecureprimitivescanveryoftenleadtosecurityissues. 6.1RevocableAnonymity Inthisdissertationwestudiedtwoareas.Intherstarea,namelyrevocableanonymity,theproblemwasthelackofsupportforbothpseudonymandrevocationsupport.Asasolution,weproposedaprotocolwhichsimulatesananonymousmessageboardsupportingpseudonyms,whichareusefultobuildreputationinananonymoussetting.Thismessageboardalsosupportsrevocation,topreventmisusebymalicioususers,butitalsopreventsadictatorialadministrationbydistributingthepowertoseveraladministratorsandgivingapredeterminedmajoritytheabilitytorevoketheusersidentity.Furthermore,itfacilitatestheuseofthissysteminapplicationswhereanonymityisrequiredonlyforalimitedperiod,butwheretheidentitiesoftheuserswillneedberevealedafterwards. Thissolutionwasdevelopedusingamodiedfairblindsignatureprotocol,whichmadeitpossibletoregisterpseudonym/keypairswithoutrevealingtheusersidentity.Ourprotocolistherstprotocolsupportingbothpseudonymityandrevocationatthesametime.Thereareseveralpracticalapplicationsforsuchaprotocol,includingwikis,collaborationsystems,peerreviewandmultiplayergames.Havingsuchawiderangeofusefulapplications,webelievethatthisconstitutesanimportantcontributiontotheeld. 110

PAGE 111

6.2HybridMercuri-HomeomorphicEncryptionProtocolWithAuditSupport Onthesecondareawestudied,ourproblemwastoreconcilethedierencebetweentheresearchersandvotingsystemdistributorcompanies.Specically,weaimedatcombiningtheMercurimethodwithacryptographicallysoundelectronicvotingprotocol.Afterdoingthis,anotherimportantproblemwastoutilizethepaperballotstoincreasethesecurityoftheelectronicvotes,withoutneedingafullrecount. Concerningthisproblem,werstgavesomesuggestionsonhowtheMercurimethodcanbeusedinahomomorphicencryptionbasedvotingprotocolandlistedsomeadditionalbenetsthatmightarise.Afterxingseveralcommonproblemsrelatedtotheforcedabstentionattacksthatcanbefoundinsimilarprotocols,wealsoincludedabasicframeworkonhowthesecurityofvotingsystemscanbeevaluated.Moreimportantly,wegaveadescriptionofagenericauditmechanism,thatcanalsobeusedinsimilarvotingprotocols.Thismechanismmakesitpossibletoaudittheelectronicvotesusingthepaperballots,withoutendangeringtheprivacyofthevoters.ThisnovelideagivesanaddedbenettoadoptingtheMercurimethod,whichisalreadyinpopularuse.Toachievethisresult,weusedre-encryptionsoftheencryptedvotes,andproposedamethodthatwillpreventthevotingdevicefromcheating,whilestillensuringtheprivacyofthevoters. 6.3Write-inBallotSupport Thelastproblemweconsiderwassupportingwrite-inballotsaspartofanelectronicvotingsystem,inapracticalmanner.Tothisend,weproposedagenericprotocolforsupportingwrite-incandidatesthatcanbeusedwithmosthomomorphicencryptionbasedvotingsystemsandthatsupportsindividualreceipts,andisreceipt-free.Previouslynoprotocolcouldsupportbothoftheserequirementswithoutneedingcomputationalpowerfromthevoterhimself,whichisnotapracticalassumptionforelectionsthatrequirevotingtobecarriedoutinvotingbooths.Assuch,itllsanimportantgapintheelectronicvotingarea.Thewaythiswasaccomplishedwasbyhavingasecretpermutation 111

PAGE 112

foreachletteranddesigningasimplewayforthevotertocarryouttheencryptionwithoutanycomputationalaidsusingthispermutation.Thesecretpermutationisencodedinanencryptedstring,andamix-netisusedtodecryptthisstringandasaresultrecoverthepermutationandhencethenameofthecandidatevotedfor. Manypeoplestillretaindoubtsabouthavinganelectronicelectionsystem,whereseeminglyanynumberofvotescanbechangedwiththepushofabutton.Thisgloomyviewisperhapstoopessimistic,butitalsoposesavalidconcern.However,wehaveallthetoolsnecessaryforawell-functioningandsecureelectronicvotingsystem.Ourgoalshouldbetofocusontheweaknessesofcurrenttechnologies,anddesignprotocolsthatnotonlyreplicatethesecurityandvariousadvantages/characteristics,butactuallyimproveonthembysupplyingmoresecurityandmanyotherenhancements.Voterveriablereceipts,veryfasttallying,andeaseofusearesomeoftheseenhancements,butwealsoshouldnotforgetaboutotherissueslikesupportingwrite-inballotsandmoreimportantlyvoters'perceptionofsecurity.Thisperceivedsecurityisperhapsthemostimportantobstacleforelectronicvotingtechnologiesandtheonlywaytoovercomethisobstacleisbydesigningbetterandmoresecureprotocolswhilealsoeducatingthepublicontheaccomplishments. 112

PAGE 113

REFERENCES [1] BruceSchneier,AppliedCryptography:Protocols,Algorithms,andSourceCodeinC,JohnWiley&Sons,secondedition,October1995. [2] RebeccaMercuri,\ABetterBallotBox?,"IEEESpectrumOnline,October2,2002. [3] AlfredJ.Menezes,PaulC.vanOorschot,andScottA.Vanstone,HandbookofAppliedCryptography,CRC,BocaRaton,FL,October1996. [4] VincentRijmenandElisabethOswald,\UpdateonSHA-1,"CryptologyePrintArchive,Report2005/010,2005,RetrievedOct1,2009,from http://eprint.iacr.org/ [5] MartinCochran,\NotesontheWangetal.263SHA-1DierentialPath,"CryptologyePrintArchive,Report2007/474,2007,RetrievedOct1,2009,from http://eprint.iacr.org/ [6] A.K.LenstraandB.M.M.deWeger,\Onthepossibilityofconstructingmeaningfulhashcollisionsforpublickeys,"inInformationSecurityandPrivacy,10thAus-tralasianConference,ACISP2005,vol.3574ofLectureNotesinComputerScience,pp.267{279.Springer,Berlin,July2005. [7] ChristopheDeCanniereandChristianRechberger,\FindingSHA-1Characteristics:GeneralResultsandApplications,"inAdvancesinCryptology{ASIACRYPT2006,vol.4284/2006ofLectureNotesinComputerScience,pp.1{20.SpringerBerlin/Heidelberg,2006. [8] MarcStevens,AlexanderSotirov,JacobAppelbaum,ArjenLenstra,DavidMolnar,DagArneOsvik,andBennedeWeger,\ShortChosen-PrexCollisionsforMD5andtheCreationofaRogueCACerticate,"CryptologyePrintArchive,Report2009/111,2009,RetrievedOct1,2009,from http://eprint.iacr.org/ [9] J.BlackandT.HighlandM.Cochran,\AStudyoftheMD5Attacks:InsightsandImprovements,"inFastSoftwareEncryption.2006,vol.4047/2006ofLectureNotesinComputerScience,pp.262{277,SpringerBerlin/Heidelberg. [10] NationalInstituteofStandardsandTechnology,\SecureHashStandard,"FederalInformationProcessingStandardsPublication180-2,2002. [11] MihirBellare,RanCanetti,andHugoKrawczyk,\KeyingHashFunctionsforMessageAuthentication,"inCRYPTO'96:Proceedingsofthe16thAnnualInternationalCryptologyConferenceonAdvancesinCryptology,London,UK,1996,LectureNotesInComputerScience,pp.1{15,Springer-Verlag. [12] AmericanNationalStandardsInstitute,\ANSIX3.92-1981,"AmericanNationalStandard,DataEncryptionAlgorithm,1981. 113

PAGE 114

[13] AmericanNationalStandardsInstitute,\ANSIX9.52:1998,"TripleDataEncryptionAlgorithmModesofOperation,1998. [14] M.Matsui,\LinearCryptanalysisMethodforDESCipher,"inProceedingsofEUROCRYPT'93,Lofthus(Norway).May23{271993,vol.765ofLectureNotesinComputerScience,pp.386{397,Springer-Verlag. [15] EliBihamandAdiShamir,\DierentialCryptanalysisofDES-likeCryptosystems,"inAdvancesinCryptology{CRYPTO'90,pp.2{21.Springer-Verlag,1991. [16] JoanDaemenandVincentRijmen,TheDesignofRijndael:AES-TheAdvancedEncryptionStandard,Springer-VerlagNewYork,Inc.,rstedition,2002. [17] R.L.Rivest,A.Shamir,andL.Adleman,\Amethodforobtainingdigitalsignaturesandpublic-keycryptosystems,"CommunicationsoftheACM,vol.21,no.2,pp.120{126,1978. [18] PascalPaillier,\Public-KeyCryptosystemsBasedonCompositeDegreeResiduosityClasses,"inAdvancesinCryptologyEUROCRYPT99,vol.1592ofLectureNotesinComputerScience,pp.223{238.SpringerBerlin/Heidelberg,1999. [19] W.TimothyPolk,DonnaF.Dodson,andWilliamE.Burr,\CryptographicAlgorithmsandKeySizesforPersonalIdentityVerication,"NISTSpecialPublication800-78-1. [20] DanBonehandMatthewFranklin,\EcientgenerationofsharedRSAkeys,"inAdvancesinCryptology{CRYPTO97.1997,pp.425{439,Springer-Verlag. [21] DanBoneh,\TwentyyearsofattacksontheRSAcryptosystem,"NoticesoftheAMS,vol.46,pp.203{213,1999. [22] DanielBleichenbacher,ErMay,andTuDarmstadt,\NewAttacksonRSAwithSmallSecretCRT-Exponents,"inPublicKeyCryptography-PKC2006,vol.3958/2006ofLectureNotesinComputerScience,pp.1{13.SpringerBerlin/Heidelberg,2006. [23] Jean-SebastienCoronandAlexanderMay,\DeterministicPolynomial-TimeEquivalenceofComputingtheRSASecretKeyandFactoring,"vol.20,pp.39{50.Springer-VerlagNewYork,Inc.,Secaucus,NJ,USA,2007. [24] DanBonehandGlennDurfee,\CryptanalysisofRSAwithPrivateKeydLessThanN0.292,"IEEETransactionsonInformationTheory,vol.46,pp.1339{1349,2000. [25] OlivierBaudron,Pierre-AlainFouque,DavidPointcheval,JacquesStern,andGuillaumePoupard,\Practicalmulti-candidateelectionsystem,"inProceedingsofthetwentiethannualACMsymposiumonPrinciplesofdistributedcomputing,NewYork,NY,USA,2001,pp.274{283,ACM. 114

PAGE 115

[26] IvanDamgardandMadsJurik,\Ageneralisation,asimplicationandsomeapplicationsofpaillier'sprobabilisticpublic-keysystem,"inInproceedingsofPKC01,LNCSseries.2001,pp.119{136,Springer-Verlag. [27] AlexandreRuizandJorgeL.Villar,\Publiclyveriablesecretsharingfrompaillierscryptosystem,"WesternEuropeanWorkshoponResearchonCryptography,July2005. [28] Pierre-AlainFouque,GuillaumePoupard,andJacquesStern,\SharingDecryptionintheContextofVotingandLotteries,"inProceedingsofthe4thInternationalConferenceonFinancialCryptography,vol.1962ofLectureNotesInComputerScience,pp.90{104.Springer-Verlag,London,UK,2000. [29] VictorSMiller,\Useofellipticcurvesincryptography,"inAdvancesincryptology|CRYPTO85,vol.218ofLectureNotesinComputerScience. [30] JulioLopez,RicardoDahab,andRicardoDahab,\AnOverviewofEllipticCurveCryptography,"Tech.Rep.,InstituteofComputing,StateUniversityofCampinas,2000. [31] DavidChaum,\Blindsignaturesforuntraceablepayments,"inAdvancesinCryptologyProceedingsofCrypto82,D.Chaum,R.L.Rivest,andA.T.Sherman,Eds.1998,pp.199{203,Springer-Verlag. [32] Cheng-ChiLee,Wei-PangYang,andMin-ShiangHwang,\Untraceableblindsignatureschemesbasedondiscretelogarithmproblem,"FundamentaInformaticae,vol.55,no.3-4,pp.307{320,2002. [33] C.-I.FanandC.-L.Lei,\Ecientblindsignatureschemebasedonquadraticresidues,"ElectronicsLetters,vol.32,no.9,pp.811{813,1996. [34] DavidPointchevalandJacquesStern,\ProvablySecureBlindSignatureSchemes,"inAdvancesinCryptologyASIACRYPT'96.1996,vol.4484ofLectureNotesinComputerScience,pp.252{265,SpringerBerlin/Heidelberg. [35] ShaGoldwasser,SilvioMicali,andRonaldL.Rivest,\ADigitalSignatureSchemeSecureAgainstAdaptiveChosen-MessageAttacks,"SIAMJournalonComputing,vol.17,pp.281{308,1988. [36] DavidPointchevalandJacquesStern,\SecurityProofsforSignatureSchemes,"inAdvancesinCryptologyEUROCRYPT96.1996,vol.1070/1996ofLectureNotesinComputerScience,pp.387{398,SpringerBerlin/Heidelberg. [37] DavidChaum,\UntraceableElectronicMail,ReturnAddresses,andDigitalPseudonyms,"CommunicationsoftheACM,vol.24,no.2,pp.84{88,February1981. 115

PAGE 116

[38] DouglasWikstrom,\AnEcientMix-net,"2002,SICSTechnicalReportT2002:21.SwedishInstituteofComputerScienceISSN1100-3154. [39] DanBonehandPhilippeGolle,\Almostentirelycorrectmixingwithapplicationstovoting,"inCCS'02:Proceedingsofthe9thACMconferenceonComputerandcommunicationssecurity,NewYork,NY,USA,2002,pp.68{77,ACM. [40] JunFurukawaandKazueSako,\AnEcientSchemeforProvingaShue,"inCRYPTO'01:Proceedingsofthe21stAnnualInternationalCryptologyConferenceonAdvancesinCryptology,London,UK,2001,vol.2139ofLectureNotesInComputerScience,pp.368{387,Springer-Verlag. [41] DouglasWikstrom,\AUniversallyComposableMix-Net,"inTheoryofCryptogra-phy,vol.2951ofLectureNotesinComputerScience,pp.317{335.SpringerBerlin/Heidelberg,2004. [42] ShengZhong,DanBoneh,MarkusJakobsson,andAriJuels,\Optimisticmixingforexit-polls,"inAsiacrypt2002,LNCS2501.2002,pp.451{465,Springer-Verlag. [43] W.-A.Jackson,K.M.Martin,andC.M.O'Keefe,\Ecientsecretsharingwithoutamutuallytrustedauthority,"inAdvancesinCryptology{EUROCRYPT'95,vol.921ofLectureNotesinComputerScience,pp.183{193.Springer-VerlagNewYork,Inc.,1995. [44] IngemarIngemarssonandGustavusJ.Simmons,\Aprotocoltosetupsharedsecretschemeswithouttheassistanceofmutuallytrustedparty,"inEUROCRYPT'90:ProceedingsoftheworkshoponthetheoryandapplicationofcryptographictechniquesonAdvancesincryptology,NewYork,NY,USA,1991,pp.266{282,Springer-VerlagNewYork,Inc. [45] Pierre-AlainFouqueandJacquesStern,\FullyDistributedThresholdRSAunderStandardAssumptions,"inProceedingsofthe7thInternationalConferenceontheTheoryandApplicationofCryptologyandInformationSecurity:AdvancesinCryptology,vol.2248ofLectureNotesinComputerScience,pp.310{330.2001. [46] I.DamgardandM.Koprowski,\PracticalThresholdRSASignaturesWithoutaTrustedDealer,"Tech.Rep.,AarhusUniversity,BRICS,2000. [47] AdiShamir,\Howtoshareasecret,"Commun.ACM,vol.22,no.11,pp.612{613,1979. [48] SGoldwasser,SMicali,andCRacko,\Theknowledgecomplexityofinteractiveproof-systems,"inSTOC'85:ProceedingsoftheseventeenthannualACMsympo-siumonTheoryofcomputing,NewYork,NY,USA,1985,pp.291{304,ACM. 116

PAGE 117

[49] A.FiatandA.Shamir,\Howtoproveyourself:Practicalsolutionstoidenticationandsignatureproblems,"inAdvancesinCryptology|Crypto'86,NewYork,1987,pp.186{194,Springer-Verlag. [50] JoanBoyar,KatalinFriedl,andCarstenLund,\PracticalZero-KnowledgeProofs:GivingHintsandUsingDeciencies,"JournalofCryptology,vol.4,pp.155{172,1994. [51] OdedGoldreichandYairOren,\DenitionsandPropertiesofZero-KnowledgeProofSystems,"JournalofCryptology,vol.7,no.1,pp.1{32,1994. [52] A.KiayiasandM.Yung,\Thevector-ballote-votingapproach,"inFinanicalCryptography,PatrickP.TsangandVictorK.Wei,Eds.,vol.3110/2004ofLectureNotesinComputerScience,pp.72{89.Springer-Verlag,2004. [53] T.KieslerandL.Harn,\Cryptographicmaster-key-generationschemeanditsapplicationtopublickeydistribution,"ComputersandDigitalTechniques,IEEEProceedings-,vol.139,no.3,pp.203{206,May1992. [54] S.G.AklandP.D.Taylor,\Cryptographicsolutiontoaproblemofaccesscontrolinahierarchy,"1983,vol.1,pp.239{248. [55] M.JakobssonandM.Yung,\RevocableandVersatileElectronicMoney,"3rdACMConferenceonComputerandCommunicationsSecurity,pp.76{87,1996. [56] GDavida,YFrankel,YTsiounis,andMYung,\AnonymityControlinE-CashSystems,"inFinancialCryptography:FirstInternationalConference,Anguilla,BritishWestIndies,24{281997,vol.1318,pp.1{16,Springer-Verlag. [57] JanCamenisch,UeliM.Maurer,andMarkusStadler,\DigitalPaymentSystemswithPassiveAnonymity-RevokingTrustees,"inESORICS,1996,pp.33{43. [58] ByeonggonKim,SungjunMin,andKwangjoKim,FairtracingbasedonVSSandblindsignaturewithoutTrustees,vol.3314/2005ofLectureNotesinComputerScience,pp.1061{1066,SpringerBerlin/Heidelberg,2004. [59] XiaofengChen,FangguoZhang,andYuminWang,\ANewApproachtoPreventBlackmailinginE-Cash,"CryptologyePrintArchive,Report2003/055,2003,RetrievedOct1,2009,from http://eprint.iacr.org/ [60] MarkusA.Stadler,Jean-MarcPiveteau,andJanL.Camenisch,\FairBlindSignatures,"inAdvancesinCryptologyEUROCRYPT95,vol.921ofLectureNotesinComputerScience,pp.209{219.SpringerBerlin/Heidelberg,1995. 117

PAGE 118

[61] JorisClaessens,ClaudiaDaz,CarolineGoemans,BartPreneel,JoosVandewalle,andJosDumortier,\RevocableanonymousaccesstotheInternet?,"InternetResearch:ElectronicNetworkingApplicationsandPolicy,vol.13,no.4,pp.242{58,August2003. [62] ClaudiaDiaz,VincentNaessens,SvetlaNikova,BartDeDecker,andBartPreneel,\AnonymityandPrivacyinElectronicServices,IWT.APESdeliverable11.ToolsforTechnologiesandApplicationsofControlledAnonymity,"2004. [63] JorisClaessens,ClaudiaDiaz,SvetlaNikova,VincentNaessens,BartDeWin,CarolineGoemans,StefaanSeys,MiekeLoncke,JosDumortier,BartDeDecker,andBartPreneel,\AnonymityandPrivacyinElectronicServices,IWT.APESdeliverable11.TechnologiesforControlledAnonymity,"Tech.Rep.,KatholiekeUniversiteitLeuven,2003. [64] RolfWendolskyStefanKpsellandHannesFederrath,\RevocableAnonymity,"inEmergingTrendsinInformationandCommunicationSecurity,vol.3995ofLectureNotesinComputerScience.SpringerBerlin/Heidelberg,2006. [65] D.Chaum,\Thediningcryptographersproblem:unconditionalsenderandrecipientuntraceability,"JournalofCryptology,vol.1,no.1,pp.65{75,1988. [66] Z.Zwierko,A.Kotulski,\Anewprotocolforgroupauthenticationprovidingpartialanonymity,"NextGenerationInternetNetworks,pp.356{363,2005. [67] AdamWierzbicki,AnetaZwierko,andZbigniewKotulski,\Anewauthenticationprotocolforrevocableanonymityinad-hocnetworks,"ComputingResearchRepository(CoRR),2005,abs/cs/0510065. [68] AnnaLysyanskaya,RonaldL.Rivest,andAmitSahai,\PseudonymSystems,"inProceedingsofSAC1999,volume1758ofLNCS.1999,pp.184{199,SpringerVerlag. [69] IanAvrumGoldberg,\APseudonymousCommunicationsInfrastructurefortheInternet,"Tech.Rep.,UniversityofCalifornia,2000. [70] IanGoldbergandDavidWagner,\TAZServersandtheRewebberNetwork:EnablingAnonymousPublishingontheWorldWideWeb,"FirstMonday,vol.3,1997. [71] D.Chaum,P.Y.A.Ryan,andS.A.Schneider,\Apractical,Voter-veriableElectionScheme,"Tech.Rep.,UniversityofNewcastleuponTyne,2004. [72] C.AndrewNe,\PracticalHighCertaintyIntentVericationForEncryptedVotes,"Tech.Rep.,VoteHere,2004. 118

PAGE 119

[73] TatsuakiOkamoto,\Receipt-freeelectronicvotingschemesforlargescaleelections,"inSecurityProtocols.1998,vol.1361/1998ofLectureNotesinComputerScience,pp.25{35,SpringerBerlin/Heidelberg. [74] KazuoOhtaAtsushiFujioka,TatsuakiOkamato,\Apracticalsecretvotingschemeforlargescaleelections,"inAdvancesinCryptology.AUSCRYPT'92,1992,pp.244{251. [75] JoshDanielCohenBenaloh,Veriablesecret-ballotelections,Ph.D.thesis,YaleUniversity,NewHaven,CT,USA,1987. [76] RonaldCramer,RosarioGennaro,andBerrySchoenmakers,\ASecureandOptimallyEcientMulti-AuthorityElectionScheme,"inProceedingsofEurocrypt97,vol.1233ofLectureNotesinComputerScience,p.103.1997. [77] MartinHirtandKazueSako,\EcientReceipt-FreeVotingBasedonHomomorphicEncryption,"LectureNotesinComputerScience,vol.1807,pp.539+,2000. [78] AlessandroAcquisti,\Receipt-FreeHomomorphicElectionsandWrite-inBallots,"CryptologyePrintArchive,Report2004/105,2004,RetrievedOct1,2009,from http://eprint.iacr.org/ [79] JoshuaKurlantzick,\2000,thesequel,"AmericanProspect,2004,15(10),22-5. [80] C.AndrewNe,\ElectionCondence,"Tech.Rep.,VoteHere,Inc,2003,Revision6December17,2003. [81] ChrisKarlof,NaveenSastry,andDavidWagner,\Cryptographicvotingprotocols:Asystemsperspective,"inSSYM'05:Proceedingsofthe14thconferenceonUSENIXSecuritySymposium,Berkeley,CA,USA,2005,pp.33{50,USENIXAssociation. [82] PeterY.A.RyanandTheaPeacock,\Pr^etaVoter:ASystemsPerspective,"Tech.Rep.CS-TR-929,SchoolofComputingScience,UniversityofNewcastle,2005. [83] BennianDou,ChunhuaChen,andRobertoAraujo,\AttacksandModicationsofCJCsE-votingScheme,"CryptologyePrintArchive,Report2006/300,2006,RetrievedOct1,2009,from http://eprint.iacr.org/ [84] Wen-ShenqJuangandChin-LaungLei,\ASecureandPracticalElectronicVotingSchemeforRealWorldEnvironments(SpecialSectiononCryptographyandInformationSecurity),"IEICEtransactionsonfundamentalsofelectronics,commu-nicationsandcomputersciences,vol.80,no.1,pp.64{71,1997. [85] L.CranorandR.Cytron,\Sensus:Asecurity-consciouselectronicpollingsystemfortheInternet,"inProceedingsoftheHawaiInternationalConferenceonSystemSciences,1997,Wailea,Hawaii. 119

PAGE 120

[86] Jue-SamChou,YalinChen,andJin-ChengHuang,\ANovelSecureElectronicVotingProtocolBasedOnBilinearPairings,"CryptologyePrintArchive,Report2006/342,2006,RetrievedOct1,2009,from http://eprint.iacr.org/ [87] RonaldCramer,MatthewFranklin,BerrySchoenmakers,andMotiYung,\Multi-authoritySecret-BallotElectionswithLinearWork,"LectureNotesinComputerScience,vol.1070,pp.72{83,1996. [88] ByoungcheonLeeandKwangjoKim,\Receipt-freeelectronicvotingthroughcollaborationofvoterandhonestverier,"inProceedingofJapan{KoreaJointWorkshoponInformationSecurityandCryptology,pp.101{108.2000,Okinawa,Japan. [89] ByoungcheonLee,ColinBoyd,EdDawson,KwangjoKim,JeongmoYang,andSeungjaeYoo,\ProvidingReceipt-freenessinMixnet-basedVotingProtocols,"inInformationSecurityandCryptology-ICISC2003,vol.2971/2004ofLectureNotesinComputerScience,pp.245{258.SpringerBerlin/Heidelberg,2004. [90] JoshBenalohandDwightTuinstra,\UncoercibleCommunication,"Tech.Rep.,ClarksonUniversity,1997,ComputerScienceTechnicalReportTR-MCS-94-1. [91] EmmanouilMagkos,MikeBurmester,andVassiliosChrissikopoulos,\Receipt-FreenessinLarge-ScaleElectionswithoutUntappableChannels,"inI3E'01:ProceedingsoftheIFIPConferenceonTowardsTheE-Society.2001,vol.202,pp.683{694,Kluwer,B.V. [92] ByoungcheonLeeandKwangjoKim,\Receipt-FreeElectronicVotingSchemewithaTamper-ResistantRandomizer,"inInformationSecurityandCryptologyICISC2002.2002,LectureNotesinComputerScience,pp.389{406,SpringerBerlin/Heidelberg. [93] MichaelIanShamos,\Paperv.ElectronicVotingRecordsAnAssessment,"AccompanyingpapertoACMComputers,Freedom&PrivacyConferenceheldinBerkeley,CaliforniainApril2004. [94] R.Crane,A.Keller,A.Dechert,E.Cherlin,andD.Mertz,\ADeeperLook:RebuttingShamosone-Voting,"inUniversityVotingSystemCompetition(Vo-Comp)2007,,2007. [95] ArthurM.KellerandDavidMertz,\Privacyissuesinanelectronicvotingmachine,"inProceedingsoftheACMWorkshoponPrivacyintheElectronicSociety(WPES.2004,pp.33{34,ACMPress. [96] JonathanBannet,DavidW.Price,AlgisRudys,JustinSinger,andDanS.Wallach,\Hack-a-Vote:SecurityIssueswithElectronicVotingSystems,"IEEESecurityandPrivacy,vol.2,no.1,pp.32{37,2004. 120

PAGE 121

[97] Jr.WalterR.Mebane,\WhoWon?StatisticalElectionFraudDetection,"2006USENIX/ACCURATEElectronicVotingTechnologyWorkshop,KeynoteAddress,2006. [98] ElectronicFrontierFoundation,\AccessibilityandAuditabilityinElectronicVoting,"WhitePaper,2004,RetrievedSep.21,2009,from http://www.eff.org/wp/accessibility-and-auditability-electronic-voting [99] NaveenSastry,TadayoshiKohno,andDavidWagner,\Designingvotingmachinesforverication,"inUSENIX-SS'06:Proceedingsofthe15thconferenceonUSENIXSecuritySymposium,Berkeley,CA,USA,2006,USENIXAssociation. [100] Yu-YiChen,Jinn-KeJan,andChin-LingChen,\ThedesignofasecureanonymousInternetvotingsystem,"ComputersandSecurity,23(4),pp.pp.330{337.,2004. [101] IndrajitRay,IndrakshiRay,andNatarajanNarasimhamurthi,\Ananonymouselectronicvotingprotocolforvotingovertheinternet,"inProceedingsoftheThirdInternationalWorkshoponAdvancedIssuesofE-CommerceandWeb-basedInformationSystems,2001,pp.21{22. [102] AndreuRieraandJoanBorrell,\PracticalApproachtoAnonymityinLargeScaleElectronicVotingSchemes,"inNetworkandDistributedSystemSecuritySymposium{NDSS99.1999. [103] DavidChaum,AleksEssex,RichardCarback,JeremyClark,StefanPopoveniuc,AlanSherman,andPoorviVora,\Scantegrity:End-to-endvoter-veriableoptical-scanvoting,"IEEESecurityandPrivacy,vol.6,no.3,May/June2008. [104] D.Chaum,\Electionswithunconditionally-secretballotsanddisruptionequivalenttobreakingrsa,"inLectureNotesinComputerScienceonAdvancesinCryptology-EUROCRYPT'88,NewYork,NY,USA,1988,pp.177{182,Springer-VerlagNewYork,Inc. [105] K.Sako,\Electronicvotingschemeallowingopenobjectiontothetally,"Transac-tionsonFundamentalsofElectronics,CommunicationsandComputerSciences,vol.E77-A,no.1,January1994. [106] WenshenqJuang,ChinlaungLei,andPeilingYu,\Averiablemulti-authoritiessecretelectionallowingabstainingfromvoting,"InternationalComputerSymposium,vol.45,pp.672{682,1998. [107] Wen-ShenqJuangandChin-LaungLei,\Acollision-freesecretballotprotocolforcomputerizedgeneralelections,"ComputersandSecurity,vol.15,no.4,pp.339{348,1996. [108] KwangjoKim,JinhoKim,ByoungcheonLee,andGookwhanAhn,\Experimentaldesignofworldwideinternetvotingsystemusingpki,"2001. 121

PAGE 122

[109] ChoonsikPark,KazutomoItoh,andKaoruKurosawa,\Ecientanonymouschannelandall/nothingelectionscheme,"inEUROCRYPT'93:WorkshoponthetheoryandapplicationofcryptographictechniquesonAdvancesincryptology,Secaucus,NJ,USA,1994,pp.248{259,Springer-VerlagNewYork,Inc. [110] MasayukiAbe,\Universallyveriablemix-netwithvericationworkindependentofthenumberofmix-servers,"inAdvancesinCryptologyEUROCRYPT'98.1998,vol.1403ofLectureNotesinComputerScience,SpringerBerlin/Heidelberg. [111] KazueSakoandJoeKilian,\Receipt-freemix-typevotingscheme,"inAdvancesinCryptologyEUROCRYPT95.1995,vol.921/1995ofLectureNotesinComputerScience,pp.393{403,SpringerBerlin/Heidelberg. [112] MarkusJakobsson,AriJuels,andRonaldL.Rivest,\Makingmixnetsrobustforelectronicvotingbyrandomizedpartialchecking,"inUSENIXSecuritySymposium,2002,pp.339{353. [113] MarkusJakobsson,\APracticalMix,"LectureNotesinComputerScience,vol.1403,pp.448{461,1998. [114] AriJuels,DarioCatalano,andMarkusJakobsson,\Coercion-resistantelectronicelections,"inWPES'05:Proceedingsofthe2005ACMworkshoponPrivacyintheelectronicsociety,NewYork,NY,USA,2005,pp.61{70,ACM. [115] JensGroth,\Averiablesecretshueofhomomorphicencryptions,"inINPROCEEDINGSOFPKC03,LNCSSERIES.2005,pp.145{160,Springer-Verlag. [116] DavidChaum,\Secret-BallotReceipts:TrueVoter-VeriableElections,"IEEESecurityandPrivacy,vol.2,no.1,pp.38{47,2004. [117] JoshD.CohenandMichaelJ.Fischer,\Arobustandveriablecryptographicallysecureelectionscheme,"inSFCS'85:Proceedingsofthe26thAnnualSymposiumonFoundationsofComputerScience,Washington,DC,USA,1985,pp.372{382,IEEEComputerSociety. [118] JoshCBenalohandMotiYung,\Distributingthepowerofagovernmenttoenhancetheprivacyofvoters,"inPODC'86:ProceedingsofthefthannualACMsymposiumonPrinciplesofdistributedcomputing,NewYork,NY,USA,1986,pp.52{62,ACM. [119] KazueSakoandJoeKilian,\Securevotingusingpartiallycompatiblehomomorphisms,"inAdvancesinCryptologyCRYPTO94.1994,vol.839ofLectureNotesinComputerScience,pp.411{424,SpringerBerlin/Heidelberg. [120] I.Damgard,M.Jurik,andJ.Nielsen,\Ageneralizationofpaillier'spublic-keysystemwithapplicationstoelectronicvoting,"2003. 122

PAGE 123

[121] MarkusJakobsson,KazueSako,andRussellImpagliazzo,\DesignatedVerierProofsandTheirApplications,"inAdvancesinCryptologyEUROCRYPT96,vol.1070ofLectureNotesinComputerScience,pp.143{154.SpringerBerlin/Heidelberg,1996. [122] RonaldL.Rivest,\TheThreeBallotVotingSystem,"Tech.Rep.,VotingTechnologyProject,Caltech/MIT,2009. [123] StefanPopoveniucandBenHosp,\AnIntroductiontoPunchscan,"Tech.Rep.,Punchscan,October2006,RetrievedSep.21,2009,from http://www.punchscan.org/papers/popoveniuc_hosp_punchscan_introduction.pdf [124] KevinFisher,RichardCarback,andAlanSherman,\Punchscan:IntroductionandSystemDenitionofaHigh-IntegrityElectionSystem,"inProceedingsoftheIAVoSSWorkshopOnTrustworthyElections(WOTE'06),Cambridge,UK,PeterA.Ryan,Ed.,June2006. [125] BenHosp,\Write-inVotesForPunchscan,"Tech.Rep.,Punchscan,February2007,RetrievedSep.21,2009,from http://punchscan.org/press/punchscanwritein.pdf [126] JoyMarieForsythe,\EncryptedReceiptsforVoter-VeriedElectionsUsingHomomorphicEncryption,"M.S.thesis,M.I.T.,2005. [127] RonaldL.Rivest,\Asimpleruleofthumbforelectionauditsizedetermination,"Unpublisheddraft.Version10/31/2007. [128] JosephLorenzoHall,\ElectionAuditingBibliography,"2009,RetrievedSep.21,2009,from http://josephhall.org/eamath/bib.pdf [129] JohnKelsey,\PreliminaryAnalysisofThreatstoVotingSystems,"Tech.Rep.,NationalInstituteofStandardsandTechnology(NIST),2005. [130] DouglasW.Jones,\Threatstovotingsystems,"ApositionpaperfortheNISTworkshoponThreatstoVotingSystemsOctober7,2005,Gaithersburg,MD. [131] JavedA.Aslam,RalucaA.Popa,andRonaldL.Rivest,\Onestimatingthesizeandcondenceofastatisticalaudit,"inEVT'07:ProceedingsoftheUSENIXWorkshoponAccurateElectronicVotingTechnology,2007. [132] DouglasW.Jones,\ProblemswithVotingSystemsandtheApplicableStandards,"2001,TestimonybeforetheU.S.HouseofRepresentatives'CommitteeonScience. [133] MargaretMcgaleyandJoeMccarthy,\Transparencyande-Voting:Democraticvs.CommercialInterests,"inInternationalWorkshoponElectronicVotinginEurope,2004,pp.153{163. 123

PAGE 124

[134] TadayoshiKohno,AdamStubbleeld,AvielD.Rubin,andDanS.Wallach,\AnalysisofanElectronicVotingSystem,"inIEEESymposiumonSecurityandPrivacy,2004. [135] A.Keller,D.Mertz,J.Hall,andA.Urkin,\Privacyissuesinanelectronicvotingmachine,"inACMWorkshoponPrivacyintheElectronicSociety,pp.33{34.October2004. [136] TillStegersAnanyaDas,YuanNiu,\SecurityAnalysisoftheeVACSOpen-SourceVotingSystem,"Manuscript,2005,RetrievedSep.21,2009,from http://wwwcsif.cs.ucdavis.edu/stegers/eVACS-nal-report.pdf. [137] PhilipE.Varner,\VoteEarly,VoteOften,andVoteHere:ASecurityAnalysisofVoteHere,"M.S.thesis,UniversityofVirginia,2001. [138] BenAdidaandC.AndrewNe,\Ballotcastingassurance,"inEVT'06:ProceedingsoftheUSENIX/AccurateElectronicVotingTechnologyWorkshop2006onElectronicVotingTechnologyWorkshop,2006. [139] BenAdida,AdvancesinCryptographicVotingSystems,Ph.D.thesis,M.I.T,August2006. [140] OrhanCetinkayaandDenizCetinkaya,\Vericationandvalidationissuesinelectronicvoting,"inECEG2007:The7thEuropeanConferenceone-Government,June2007,Volume5Issue2SpecialIssue:ECEG2007DenHaag. [141] A.T.Sherman,A.Gangopadhyay,S.H.Holden,G.Karabatis,A.G.Koru,C.M.Law,D.F.Norris,J.Pinkston,A.Sears,andD.Zhang,\Anexaminationofvotevericationtechnologies:ndingsandexperiencesfromthemarylandstudy,"inProceedingsoftheUSENIX/AccurateElectronicVotingTechnologyWorkshopEVT06,Canada,2006. [142] JohnMcDermottandChrisFox,\UsingAbuseCaseModelsforSecurityRequirementsAnalysis,"inACSAC'99:Proceedingsofthe15thAnnualCom-puterSecurityApplicationsConference,Washington,DC,USA,1999,p.55,IEEEComputerSociety. [143] BruceSchneier,\AttackTrees,"Dr.Dobb'sJournal,December1999. [144] R.GreenandJ.Adler,\ThreatAnalysis,"Tech.Rep.,VHTiElectionVericationTechnology,VoteHere,2003. [145] S.KentandR.Atkinson,\RFC2406:IPEncapsulatingSecurityPayload(ESP),"InternetEngineeringTaskForce(IETF),RetrievedSep.21,2009,from http://www.ietf.org/rfc/rfc2406.txt 124

PAGE 125

[146] T.DierksandC.Allen,\RFC2246:TheTLSProtocol,"InternetEngineeringTaskForce(IETF),RetrievedSep.21,2009,from http://tools.ietf.org/html/rfc2246 [147] MartinHirt,Multi-PartyComputation:EcientProtocols,GeneralAdversaries,andVoting,Ph.D.thesis,ETHZurich,Sept.2001,Reprintasvol.3ofETHSeriesinInformationSecurityandCryptography,Hartung-GorreVerlag,Konstanz,2001. [148] MajidJavidMoayed,AbdulAzimAbdulGhani,andRamlanMahmod,\ASurveyonCryptographyAlgorithmsinSecurityofVotingSystemApproaches,"ComputationalScienceanditsApplications,InternationalConference,pp.190{200,2008. [149] DavidChaum,JeroenVanDeGraaf,PeterY.A.Ryan,andPoorviL.Vora,\SecretBallotElectionswithUnconditionalIntegrity,"CryptologyePrintArchive,Report2007/270,2008,RetrievedOct1,2009,from http://eprint.iacr.org/ [150] M.Klonowski,M.Kutylowski,A.Lauks,andF.Zagorski,\APracticalVotingSchemewithReceipts,"inInformationSecurity,vol.3650/2005ofLectureNotesinComputerScience,pp.490{497.SpringerBerlin/Heidelberg,2005. [151] PeterY.A.Ryan,\AvariantoftheChaumvoter-veriablescheme,"inWITS'05:Proceedingsofthe2005workshoponIssuesinthetheoryofsecurity,NewYork,NY,USA,2005,pp.81{88,ACMPress. 125

PAGE 126

BIOGRAPHICALSKETCH BekirArslanwasborninHamburg,Germanyin1976.HeearnedhisB.S.inmathematicsfromBilkentUniversity,Ankara,Turkeyin1999.HereceivedaM.A.inmathematicsfromIndianaUniversity,Bloomington.Hisresearchareaiscryptographicprotocols. 126