Citation
Cryptographic Protocols

Material Information

Title:
Cryptographic Protocols Revocable Anonymity and E-Voting
Creator:
Arslan, Bekir
Place of Publication:
[Gainesville, Fla.]
Publisher:
University of Florida
Publication Date:
Language:
english
Physical Description:
1 online resource (126 p.)

Thesis/Dissertation Information

Degree:
Doctorate ( Ph.D.)
Degree Grantor:
University of Florida
Degree Disciplines:
Computer Engineering
Computer and Information Science and Engineering
Committee Chair:
Newman, Richard E.
Committee Members:
Sitharam, Meera
Ungor, Alper
Banerjee, Arunava
Aytug, Haldun
Graduation Date:
12/18/2009

Subjects

Subjects / Keywords:
Ballots ( jstor )
Cryptography ( jstor )
Data encryption ( jstor )
Electoral systems ( jstor )
Electronic voting ( jstor )
Electronics ( jstor )
Political candidates ( jstor )
Pseudonyms ( jstor )
Receipts ( jstor )
Voting ( jstor )
Computer and Information Science and Engineering -- Dissertations, Academic -- UF
anonymity, auditing, coercionresistance, controlled, electronicvoting, evoting, mercuri, mixnet, paillier, paperreceipts, pseudonymity, pseudonyms, receiptfreeness, revocation, vvpr, writein, zeroknowledgeproofs
Genre:
Electronic Thesis or Dissertation
born-digital ( sobekcm )
Computer Engineering thesis, Ph.D.

Notes

Abstract:
Our study lies in two areas of cryptographic protocols. The first area is anonymity, where we outline a protocol for anonymous communications supporting revocability and pseudonyms, making it possible to have anonymous yet stateful communications but also preventing malicious uses by having a possible (under certain conditions) revocation system. This is accomplished by registering a pseudonym-key pair using fair blind signatures, without revealing the pseudonym to the registering entity, but keeping sufficient information so that the pseudonym can later be revoked. This protocol has several potential uses, where not only anonymity is required, but a sense of reputation is also desired, and the possibility of revocation is either needed as a safeguard or part of the application itself. The second area is electronic voting, where we first establish some hybrid voting protocol and analyze the security and usefulness of similar protocols. The novel aspect of this protocol is that is uses both paper and electronic ballots, and it supports auditing of the electronic ballots using a sample of the paper-ballots. This has the benefit of not requiring a full recount yet still having another level of security for the electronic ballots. This feature is developed having the voting device print the re-encrypted vote on the paper-ballots, which then can be used to check the correctness of the original encryption, without reducing the privacy of the voters. Lastly, we design an electronic voting protocol supporting write-in ballots, which can also be used in other voting systems that traditionally could not support write-in protocols. It satisfies both uncoercibility and verifiability, among other key requirements, and does not require any computational power from the voter, which makes it the first such protocol. ( en )
General Note:
In the series University of Florida Digital Collections.
General Note:
Includes vita.
Bibliography:
Includes bibliographical references.
Source of Description:
Description based on online resource; title from PDF title page.
Source of Description:
This bibliographic record is available under the Creative Commons CC0 public domain dedication. The University of Florida Libraries, as creator of this bibliographic record, has waived all rights to it worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.
Thesis:
Thesis (Ph.D.)--University of Florida, 2009.
Local:
Adviser: Newman, Richard E.
Electronic Access:
RESTRICTED TO UF STUDENTS, STAFF, FACULTY, AND ON-CAMPUS USE UNTIL 2010-06-30
Statement of Responsibility:
by Bekir Arslan.

Record Information

Source Institution:
University of Florida
Holding Location:
University of Florida
Rights Management:
Copyright Arslan, Bekir. Permission granted to the University of Florida to digitize, archive and distribute this item for non-profit research and educational purposes. Any reuse of this item in excess of fair use or other copyright exemptions requires permission of the copyright holder.
Embargo Date:
6/30/2010
Resource Identifier:
575543307 ( OCLC )
Classification:
LD1780 2009 ( lcc )

Downloads

This item has the following downloads:


Full Text

PAGE 1

CRYPTOGRAPHICPROTOCOLS:REVOCABLEANONYMITYANDE-VOTINGByBEK_IRARSLANADISSERTATIONPRESENTEDTOTHEGRADUATESCHOOLOFTHEUNIVERSITYOFFLORIDAINPARTIALFULFILLMENTOFTHEREQUIREMENTSFORTHEDEGREEOFDOCTOROFPHILOSOPHYUNIVERSITYOFFLORIDA2009 1

PAGE 2

c2009BekirArslan 2

PAGE 3

ACKNOWLEDGMENTS IwouldliketoexpressmyappreciationforallthehelpIreceivedfrommyadvisorDr.RichardNewman.Hisdeterminedsupport,theenlighteningdiscussionswehad,hisobservations,correctionsandcommentswereallintegraltomywork.Iwishtothankthemembersofmycommittee,especiallyDr.MeeraSitharam,fortheirhelpwithwritingthisdissertation.Myfamily'spersistentsupportwasanotherkeyingredient,aswellasthediscussionswithmybrother,Dr.GunerArslan.AheartfeltthankyougoestohimandtomysisterGulay,mymotherSelimeandmyfatherCemal.Finally,thepeoplewhowerealwaysthereforme,myfriends.AhmetNalcacoglu,VolkanKurtas,UmutSargut,OguzhanTopsakal,MehmetYesildag,CemBoyac,MeteTakl,HakanDogan,UmudDevrimYalcn,FratCeliklerandmanymorethatIcannotlisthere.Iamprofoundlygratefulforyourhelpandsupport,Icouldnothavedonethiswithoutyou.Thankyouall. 3

PAGE 4

TABLEOFCONTENTS page ACKNOWLEDGMENTS ................................. 3 LISTOFTABLES ..................................... 8 LISTOFFIGURES .................................... 9 LISTOFABBREVIATIONSANDSYMBOLS ..................... 10 ABSTRACT ........................................ 11 CHAPTER 1INTRODUCTION .................................. 13 2CRYPTOGRAPHICBUILDINGBUILDINGBLOCKSUSEDINOURPROTOCOLS ..................................... 17 2.1CryptographicHashFunctions ......................... 17 2.2SymmetricEncryption ............................. 18 2.3PublicKeyCryptography ........................... 19 2.3.1RSA ................................... 20 2.3.2Paillier .................................. 20 2.3.2.1ProofofcorrectdecryptionofthePaillierthresholdsystem 21 2.3.2.2ThresholdversionofPailliercryptosystem ......... 22 2.3.3EllipticCurveCryptography ...................... 22 2.4BlindSignatures ................................ 23 2.5Mix-nets ..................................... 23 2.6SecretSharingProtocols ............................ 24 2.7ProofsofKnowledge(Zero-KnowledgeProofs) ................ 25 2.7.1ProofofMembershipofaGivenSet .................. 25 2.7.2ProofofKnowledgeforaRandomShue ............... 26 2.8TheCut-and-ChooseMethod ......................... 26 2.9MasterKeyGeneration ............................. 27 2.10SummaryofBuildingBlocks .......................... 27 3REVOCABLEANONYMITY ............................ 29 3.1IntroductiontoRevocableAnonymity ..................... 29 3.2ProblemDenition ............................... 30 3.3PreviousWork ................................. 30 3.3.1APES:ControlledAnonymousConnections .............. 33 3.3.1.1Basicsolution ......................... 33 3.3.1.2Distributedsolutions ..................... 33 3.3.2PseudonymousCommunicationsInfrastructure ............ 34 3.3.3AnonymousPublication ......................... 35 4

PAGE 5

3.4OurContribution:RevocablePseudonymityProtocol ............ 35 3.4.1Participants ............................... 36 3.4.2Parameters ................................ 36 3.4.3ProtocolSpecication .......................... 37 3.4.3.1Registration .......................... 37 3.4.3.2Sendingmessagesandrevocation .............. 37 3.4.4TheMathInDetail ........................... 38 3.4.5SecurityAnalysis ............................ 38 3.4.6Improvement:AccessControl ..................... 41 3.4.6.1Singletiered .......................... 41 3.4.6.2Multitiered .......................... 41 3.4.6.3Problemwithnewgroups .................. 42 3.4.7Applications ............................... 42 3.4.8Conclusion ................................ 43 4ELECTRONICVOTING .............................. 45 4.1IntroductiontoElectronicVoting ....................... 45 4.2SystemDesignPerspective ........................... 46 4.3VotingSystemRequirements .......................... 47 4.4PreviousWork ................................. 48 4.4.1BlindSignatureBasedProtocols .................... 49 4.4.2Sensus .................................. 50 4.4.3Mix-netBasedProtocols ........................ 51 4.4.4Pr^etaVoter ............................... 52 4.4.5HomomorphicEncryptionBasedProtocols .............. 53 4.4.6TheVector-ballotE-votingApproach ................. 54 4.4.7MercuriMethod ............................. 56 4.4.8MajorIssuesWithSystemsBasedontheMercuriMethod ..... 57 4.4.9OtherProtocols ............................. 59 4.4.9.1Threeballot .......................... 59 4.4.9.2Punchscan ........................... 60 4.4.10PossibleReasonsforNotAdoptingAdvancedCryptographicSchemes 60 4.5OurContribution:Homomorphic-MercuriHybridVotingSystem ...... 61 4.5.1ProtocolSpecication .......................... 62 4.5.1.1Participants .......................... 62 4.5.1.2Voting ............................. 63 4.5.1.3Samplevotingwalk-through ................. 65 4.5.1.4Detailsofthecommitmentsandencryptions ........ 66 4.5.1.5Proofofequalityofproductofsubmittedvotesandproductofrandomizedvotes ................. 67 4.5.1.6Tallying ............................ 67 4.5.1.7Proofofcorrectnessofthedecryptions ........... 67 4.5.1.8Auditing ............................ 68 4.5.1.9Auditmechanismdetails ................... 69 5

PAGE 6

4.5.1.10Securityimprovement .................... 71 4.5.1.11Usingvotingdevicesandpaperballotprintersfromtwodierentsuppliers ....................... 71 4.5.2Comparison ............................... 71 4.5.2.1ComparisonwithPr^etaVoter ................ 71 4.5.2.2ComparisonwiththeMercurimethod ........... 72 4.6SecurityAnalysisMethodologies ........................ 72 4.7AnalysisofOurVotingSystem ........................ 76 4.7.1Requirements .............................. 76 4.7.1.1Primaryrequirements .................... 76 4.7.1.2Secondaryrequirements ................... 77 4.7.1.3Listofrequirements ..................... 77 4.7.2AssumptionsandTrust ......................... 78 4.7.2.1TheDREandthevotingbooth ............... 78 4.7.2.2ElectionauthoritiesandDREsuppliers ........... 79 4.7.2.3Bulletinboard ........................ 79 4.7.2.4Voters ............................. 80 4.7.2.5Summarylistofassumptions ................ 80 4.7.3AttackerBasedAnalysis ........................ 81 4.7.3.1Attacksbythevoter ..................... 81 4.7.3.2AttacksbytheDRE ..................... 82 4.7.3.3Attacksbytheauthority ................... 82 4.7.3.4Attacksbythecoercer .................... 83 4.7.4Collusions ................................ 83 4.7.4.1Voterandcoercer ....................... 84 4.7.4.2DREandauthorities ..................... 84 4.7.4.3DREandcoercer ....................... 84 4.7.4.4Authoritiesandcoercer ................... 85 4.7.4.5DRE,authoritiesandcoercer ................ 85 4.7.5Recovery ................................. 85 4.8Conclusion .................................... 86 5WRITE-INBALLOTS ................................ 88 5.1IntroductiontoWrite-inBallotSupport ................... 88 5.2PreviousWork ................................. 89 5.2.1Vector-BallotApproachbyKiaiyasandYung ............. 90 5.2.2Pret-a-Voter ............................... 90 5.2.2.1Introduction .......................... 91 5.2.2.2Overview ........................... 91 5.2.2.3Set-up ............................. 92 5.2.2.4Ballotconstruction ...................... 93 5.2.2.5Tallying ............................ 94 5.2.2.6Securitychecks ........................ 94 5.2.2.7Checkingtheteller ...................... 95 6

PAGE 7

5.3OurContribution:SupportingWrite-inBallots ................ 95 5.3.1Setup ................................... 96 5.3.2Participants ............................... 96 5.3.3ProtocolOverview ............................ 97 5.3.4VectorBallots .............................. 99 5.3.5Pre-ListedCandidates ......................... 100 5.4Write-inBallotDetails ............................. 100 5.4.1BallotConstruction ........................... 101 5.4.2OpeningBallots ............................. 102 5.4.3Auditing ................................. 102 5.4.4ProofsofKnowledge .......................... 102 5.4.4.1Proofofknowledgeforthemixingphase .......... 103 5.4.4.2Probabilityofacheatingmixerbeingcaught ........ 104 5.5SampleProtocol ................................. 104 5.5.1Voting .................................. 104 5.5.2Tallying ................................. 105 5.6ProtocolAnalysis ................................ 106 5.6.1Receipt-Freeness ............................ 106 5.6.2Votecastasintended .......................... 106 5.6.3Authority-VotingDeviceCollusion ................... 107 5.6.4Coercer-VotingDeviceCollusion .................... 107 5.6.5DenialofServiceAttacks ........................ 107 5.6.6Electionprocedurestoimprovesecurity ................ 108 5.7Conclusion .................................... 108 6CONCLUSION .................................... 110 6.1RevocableAnonymity ............................. 110 6.2HybridMercuri-HomeomorphicEncryptionProtocolWithAuditSupport 111 6.3Write-inBallotSupport ............................ 111 REFERENCES ....................................... 113 BIOGRAPHICALSKETCH ................................ 126 7

PAGE 8

LISTOFTABLES Table page 3-1Revocablepseudonymityprotocolparameters ................... 37 4-1Sampleballot ..................................... 65 4-2Samplereceipt .................................... 66 8

PAGE 9

LISTOFFIGURES Figure page 4-1Participantsofthevotingprotocol ......................... 63 4-2Candidateselectionscreen .............................. 64 5-1Samplewrite-inballot ................................ 97 9

PAGE 10

LISTOFABBREVIATIONSANDSYMBOLS jjstringconcatenation XOR,trueonlyifexactlyoneoftheoperandsistrueZn ThemultiplicativegroupofintegersmodulonAES AdvancedEncryptionStandardAIPI AnonymousIPInfrastructureDES DataEncryptionStandardDRE DirectRecordingElectronic[VotingMachine]DoS DenialofServiceeVACS ElectronicVotingandCountingSystemIP InternetProtocolP2P PeertopeerNIST TheNationalInstituteofStandardsandTechnologyNSA NationalSecurityAgencyTor TheOnionRouterURL UniformResourceLocatorVVPR VoterVeriablePaperReceipt 10

PAGE 11

AbstractofDissertationPresentedtotheGraduateSchooloftheUniversityofFloridainPartialFulllmentoftheRequirementsfortheDegreeofDoctorofPhilosophyCRYPTOGRAPHICPROTOCOLS:REVOCABLEANONYMITYANDE-VOTINGByBekirArslanDecember2009Chair:Dr.RichardNewmanMajor:ComputerEngineering Ourstudyliesintwoareasofcryptographicprotocols.Therstareaisanonymity,whereweoutlineaprotocolforanonymouscommunicationssupportingrevocabilityandpseudonyms,makingitpossibletohaveanonymousyetstatefulcommunicationsbutalsopreventingmalicioususesbyhavingapossible(undercertainconditions)revocationsystem.Thisisaccomplishedbyregisteringapseudonym-keypairusingfairblindsignatures,withoutrevealingthepseudonymtotheregisteringentity,butkeepingsucientinformationsothatthepseudonymcanlaterberevoked.Thisprotocolhasseveralpotentialuses,wherenotonlyanonymityisrequired,butasenseofreputationisalsodesired,andthepossibilityofrevocationiseitherneededasasafeguardorpartoftheapplicationitself. Thesecondareaiselectronicvoting,wherewerstestablishsomehybridvotingprotocolandanalyzethesecurityandusefulnessofsimilarprotocols.Thenovelaspectofthisprotocolisthatisusesbothpaperandelectronicballots,anditsupportsauditingoftheelectronicballotsusingasampleofthepaper-ballots.Thishasthebenetofnotrequiringafullrecountyetstillhavinganotherlevelofsecurityfortheelectronicballots.Thisfeatureisdevelopedhavingthevotingdeviceprintthere-encryptedvoteonthepaper-ballots,whichthencanbeusedtocheckthecorrectnessoftheoriginalencryption,withoutreducingtheprivacyofthevoters. 11

PAGE 12

Lastly,wedesignanelectronicvotingprotocolsupportingwrite-inballots,whichcanalsobeusedinothervotingsystemsthattraditionallycouldnotsupportwrite-inprotocols.Itsatisesbothuncoercibilityandveriability,amongotherkeyrequirements,anddoesnotrequireanycomputationalpowerfromthevoter,whichmakesittherstsuchprotocol. 12

PAGE 13

CHAPTER1INTRODUCTION Cryptographyisthescienceofanalyzingciphersandusingthesecipherstosolvereallifeproblems.Encryptionanddecryptionarethetwoobviouspartsofthisscience,howeverthereismuchmoretocryptography.Cryptographicprotocolsareprotocolsthattakethebasictoolsofcryptography-likeencryption/decryptionordigitalsignatures-andapplythemtovariouspracticalyetcomplicatedproblems.Therearemanyapplications,fromsecureonlinepayments,tosecuremultipartycomputation,fromelectroniccashtosecurekeyexchangesthatcanbesolvedusingcryptography. Historically,cryptographywasallaboutensuringdatacondentialitybyusingciphersandtoamuchlesserextendhidingdataitself-whichbecameknownassteganography.ItisreportedthatJuliusCaesarusedasimpleformofasubstitutioncipher(theCaesarcipher),andtheuseofcipherscontinuedthroughoutthesecondworldwar,whenthestudyofcryptographyandespeciallycryptanalysisaccelerated.However,whatcanbecalledthestartofmoderncryptographydatesbacktotheFeistelstructureusedinIBM'sLucifercipheranditsopenstandardheir,DES(dataencryptionstandard),widelyusedinmoderncomputers[ 1 ].Theuseofcryptographicprotocolsi.e.,sophisticatedcryptographicsystems,ontheotherhand,didnotcomeintofocusuntilRSAwasrstintroduced,openingthewaytomanymorecryptographicprimitivestobeused. Ourstudieshavetwoparts.Therstparttacklesaproblemrelatedtoanonymity.Ouraimistodesignamessageboard-likeapplicationthatrequiresauthentication,yetsupportsanonymityunderapseudonymwhensendingmessages.Furthermoreitsupportsconditional(anonymity)revocation,i.e.,theadministratorsoftheprotocolareabletorevoketheidentityofauser,ifatleastkoutofnofthemagree,wherekandnareconstantschosenatsetup. Thekeydicultyofthisproblemistheuseofbothanonymitywithpseudonymsandrevocation,seeminglycontradictoryconcepts(andtechnicallytheyarecontradictory,but 13

PAGE 14

withanonymityinthiscontextwedonotmeanfullanonymity,ratherwemeancontrolledanonymity,i.e.,anonymitythatcanberevokedonlybytheauthorities).Thedicultyofthisproblemistokeepusersanonymous(inacontrolledway),yetgivingthemsecretpseudonymsthatcanbeusedtobuildareputation.Thereareprotocolsthatsupportrevocableanonymity(forexamplee-cashprotocols)andtherearealsoprotocolsthatsupportpseudonymity(somegeneralanonymousinfrastructuresbuiltfortheInternetsupportpseudonyms),howevertherewasnoprotocolthatsupportedbothatthesametimebefore. Ourcontributionistheconstructionofsuchaprotocol:supportingbothrevocationandanonymitywithpseudonyms,inshortrevocablepseudonymity.Italsoincludesathresholdschemethatrequiressignicantcooperationamongtheauthoritiestoachieverevocation,sodoesnotgiveexcessivepowertoasingleentity.Webelievethatthisprotocolhasmanypracticalapplications,fromusingitjustasasophisticatedmessageboard,tomorespecicapplicationslikewiki's,peerreview,andcollaborationsystems. Thesecondpartisrelatedtoelectronicvoting.Inthisarea,themainissueistheabilitytoreceiveareceiptdemonstratingthatthevoteiscorrectlycounted-withoutexplicitlygivingaproofofvotethatmightbeusedforvotebuyingorcoercion.Therstproblemweconsiderisrelatedtotheso-calledMercurimethod[ 2 ]andanothertypeofelectronicvotingsystemconstructionpopularamongresearchers.TheMercurimethodproposestouseprintedpaperballotsinadditiontoelectronicballots,inordertoincreasesecurityandveriabilitywithouttheneedforcryptography.Theothervotingsystemconstructionwementionedsolvesmanyproblemsrelatedtosecurityusingcryptographyinanecientmanner.However,sinceusingtheMercurimethodalonewouldbeignoringalltheresearchandcontributionsmadeinthelasttwentyyears,ouraimwastousethecorpusofpreviousresearchtofurtheradvancethesecurityoftheMercurimethod. PreviousworkrelatingtheMercurimethodtousecryptographictoolsisalmostnon-existent.ThemainreasonisthefactthattheMercurimethodsolvesmanyofthe 14

PAGE 15

problemseasily,howeverwiththepriceofstillhavingpaper-ballots.Theotherpossiblereasonisthatthismethodcameintopopularuseonlyrecently. OurcontributionisdevelopmentofaprotocolcombiningtheMercurimethodwithapopulartypeof(homomorphicencryptionbased)cryptographicelectronicvotingsystem,whichleadstoavotingprotocolthatismoresecurethaneitherandsupportsveriabilityandreceipt-freeness.Apartfromcombiningthesetwoprotocols,ourkeycontributioninthispartisournovelandgenericauditsystem,makingthepaper-ballotsnotonlyworkasbackupvotes,butalsoasawaytosampleandaudittheelectronicvoteswithoutconductingafullrecount.Thisallowsapplicationofstandardstatisticalmethodstoprovideassuranceofcorrectvotetallies,andtoinformvotingocialswhenfullrecountsmaybeneeded. Afterwardsweevaluatethesecurityofsuchvotingprotocolsandanalyzewhatsuchacombinationaccomplishesandifitisworththeoverheadorredundancythatitbrings.Afurthernoveltyisouruseofamultilayersecurityanalysis,whichnotonlyconsiderspotentialattacksandhowthesystemdefendsagainstit,butwhichconsidersallthepotentialrequirementsthatmightbeattackedbyanyofthepotentialattackersandpointstoanyassumptionsthatareneededtomakeforthesystemtobeconsideredsecure. Athirdproblemweaddressissupportingwrite-inballotsinthesametypeofvotingprotocolsmentionedbefore.Thisisdiscouragingforelectronicvotingsupporters,especiallysincetheregularpaperbasedelectionssupporteditrathereasily.Also,beingabletovoteforwrite-incandidatesiscurrentlyrequiredinmanyelections-primarilyintheUnitedStates-sohavingwrite-inballotsupportisalsoconsideredanimportantenhancementbyresearchersdesigningpracticalvotingprotocols. Thedicultyofthisproblemisthattwoveryimportantrequirementsofvotingprotocols{uncoercibilityandveriability{whichalwaysseemtobecontradictingeachother,dosoevenmorewhenwrite-inballotsareconcerned.Whilemostprotocolssupportingwrite-inballotsfailtosatisfyoneoftheserequirements,therefewthatgot 15

PAGE 16

aroundthisproblemarenotevenclosetobeingpractical.Also,theonlyhomomorphicencryptionbasedprotocols{whichisconsideredtobethemostecientwaytobuildasecureelectronicvotingsystem{thatsupportwrite-inballots,onlydosobyrequiringthevotertohavesucientcomputationalpowertomakeencryptions.Thisagainisnotapracticalassumption. Wepresentaprotocolthatisbasedonhomomorphicencryptionandsupportswrite-inballots,wherethewrite-inballotscanpreparedbyanyoneinsidethevotingboothwithoutanyneedforanexternaldevicewithcomputationalpower.Ourprotocolsupportsbothuncoercibilityandveriabilityanddoesnotmakeanyassumptionsthatwouldbehardtosatisfyinpractice.Itisalsoagenericprotocolthatcaneasilybeaddedtoanyhomomorphicencryptionbasedvotingprotocol. Webelievethathavingathresholdrevocablepseudonymousprotocolhasmanypracticalapplicationslikewikis,collaborationandpeerreviewsystems,andmulti-playergames.Ourhybridvotingprotocol,ontheotherhand,isawelcomeadditiontotheveryimportantareaofelectronicvotingandespeciallytheauditmechanismgivesaveryusefulandpracticalwaytoinsuretheconsistencyandcorrectnessoftheelectronicandpaperballots.Furthermore,ourprotocolforsupportingwrite-inballotsgivesasolutiontoaproblemthatatrstsightlooksunsolvable.Thisisduetothepracticalneedofnothavinganycomputationalpower,yetrequiringreceipt-freenessandveriabilityatthesametime.Ourprotocoldoesthisinahomomorphicencryptionsetting,whichmakesthesolutionevenmoreremarkable.Apartfromthisnovelty,italsollsanimportantgapintheelectronicvotingliterature. 16

PAGE 17

CHAPTER2CRYPTOGRAPHICBUILDINGBUILDINGBLOCKSUSEDINOURPROTOCOLS Inthischapter,webrieyexplainsomecommonlyusedtechniquesincryptographythatwealsoemploy.Thesecanbeviewedasthetricksofthetrade,asmostcryptographicprotocolsarebasedononeormoreoftheseprimitives.Theirrequirements,propertiesandshortcomingswillbeintegraltothefollowingchaptersandassuchoneneedsatleastabasicunderstandingofthesetechniquesinordertograspthenerdetailsofourresearchareaandproposedprotocols. Thefollowingsectionsarenotmeanttobethorough,butshouldcoverthefundamentalideasandinsomecasessomebasicprotocols.Furthermoreweincludereferencesforfurtherstudyandforthecurrentstateoftheresearchareasforinterestedreaders. 2.1CryptographicHashFunctions Cryptographichashfunctionsaresimilartothehashfunctionsusedincomputing,functionsthatmaplargechunksoftextintosmallertextortoaninteger.Theyusuallyarerequiredtobeeasytocalculateandalsotomakeitcomputationallyinfeasibletocreatetextsthatmapintoaspecichashvalue.Cryptographichashfunctionsontheotherhand,alsorequiresomeadditionalproperties,makingconstructionoftext(orratheratextthatmapstothesamehashvalue)fromthehashinfeasible(i.e.,preimageattackresistant),andbeinguniform-i.e.,evenaonebitchangeinthetextshouldresultinanapproximately50%probabilityofchangeoneachbitofthehashvalue-arethemoreimportantones.Thedicultyofproducingtwotextswiththesamehashvalue(collisionresistance)isanotherimportantcharacteristicofcryptographichashfunctions.Theirmostcommonuseisdemonstratingdataintegrity[ 3 ]inawiderangeofprotocols.MD5(messagedigestalgorithm5)andSHA-1(securehashalgorithm)twoverypopularexamplesofhashfunctions,howeverinthelastfewyearssecurityweaknessesfoundbymanyresearchers[ 4 { 9 ]resultedintheseprotocolsbeingconsideredbrokenandcurrently 17

PAGE 18

mostmodernprotocolsandsecurityawareproductsusethenewgenerationhashfunctionslikeSHA-256[ 10 ].In2007,theNationalInstituteofStandardsandTechnology(NIST)startedapubliccompetitionforanewhashfunction1thatwillbecalledSHA-3. Therearealsokeyedhashfunctions-ormessageauthenticationcodes-whichapartfromdataintegrity(byusingahash)alsosuppliesauthenticity.HMAC[ 11 ](keyedhashmessageauthenticationcode)isthemostwidelyknownexampleofsuchahashfunction. 2.2SymmetricEncryption Anencryptionalgorithmisconsideredsymmetric,ifthesamesinglekeyisusedforbothencryptingtheplaintextanddecryptingtheciphertext.Symmetricalgorithmsarewidelyusedparticularlybecauseofthespeedofmodernalgorithms.Mostmodernsymmetricencryptionschemesfallintooneoftwocategories:BlockCiphersandStreamCiphers[ 1 ].Blockcipherstakeablockoftextandakeyandreturntheciphertext.Streamciphersontheotherhandgenerateasequencefromakeywhichcanthenbeusedtoencrypttheplaintextbitbybitorcharacterbycharacter. Popularencryptionmethodsallsharesomecommonproperties,consideredtoberequiredtopreventvariousattacksagainstthem.Forexampleobtainingthekeyfromtheciphertextordecryptingpartsofaciphertextusingknownplaintext-ciphertextpairsshouldbevirtuallyimpossible.Thecounterpartofcryptologythatstudiessuchpotentialweaknessesiscalledcryptanalysis. DES[ 12 ],whichwasdesignedbytheNSA,istherstpopularmodernsymmetricencryptionmethod.Inthe80'sand90'sitwaswidelyused,lateronmostlyintheformofTriple-DES[ 13 ],invariousapplicationsrangingfromthepasswordsysteminUNIXtoInternetapplications.However,asresearchersfoundweaknesses[ 14 15 ]-whichincidentallycanbeconsideredthebeginningofmoderncryptanalysis-andasthekeysizewasbeginningtobetoosmallformodernhardware,itsusewasreplacedbymoresecure 1http://csrc.nist.gov/groups/ST/hash/sha-3/index.html 18

PAGE 19

alternatives.In2001,NISTselected(andtheUSGovernmentadopted)Rijndael[ 16 ]asthenewstandard,knownasAES(advancedencryptionstandard),whichisstillinwideuse. 2.3PublicKeyCryptography Oneshortcomingofsymmetricencryptionalgorithmsistheneedforboththesenderandthereceivertoprivatelyagreeonakeybeforehand.Inmostcasesthisisnotaproblem,butinmanycases-especiallywiththeadvanceoftheInternet-itisaseriousissue.Asymmetricencryptionisacleversolutiontothisproblem:Thekeythatisusedforencryptionandthekeythatisusedfordecryptionaredierent.Therearetwokeys,usuallyonepublicandoneprivate,sothatAlicecanuseBob'spublickey2(whichhepublishespublicly)tosendhimanencryptedmessage(ciphertext)thatonlyBob(usinghisprivatekey)candecrypt.Inpractice,theencryptedmessagewillusuallybeakeyfora(muchfaster)symmetricencryptionalgorithm,whichwillthenbeusedforcommunication. Insomeasymmetricencryptionalgorithms,itisalsopossibletousetheprivatekeytoencryptandthepublickeytodecrypt.Thispropertyisespeciallyusefulforsigningmessages.Thesendercanencryptthemessagewithhisprivatekeyandthereceivercanverifytheauthenticityofthemessagebydecryptingtheattachedciphertextusingthesender'spublickey,andcomparingittotheplaintext.Thereareseveralpopularasymmetricencryptionschemes(RSA[ 1 3 17 ],ElGamal[ 3 ],Paillier[ 18 ],etc.),herewegivethealgorithmsfortwoofthese: 2ItiscustomarytousethenamesAliceandBobforparticipantsincryptographicprotocols.ThelettersAandBarethenusedasshorthands,andthecorrespondingpronounsareusedwithinthetext.Weemploythesameconventioninthisdissertation.NotethatsometimesratherthanAliceandBob,itiscommonpracticetouseothernamessothattheinitiallettersofthenamesandtheparty'srolesagree.ForexampleVictorandPeggyfortheVerierandProverinzero-knowledgeproofs. 19

PAGE 20

2.3.1RSA RSAisoneoftherstpublickeyencryptionsystems,whichisstillinwideusetoday.Itisbasedonthedicultyoftheintegerfactoringproblem. KeyGeneration: 1. Chooselargeprimespandq. 2. Computen=pq. 3. Compute(n)=(p)]TJ /F1 11.955 Tf 11.95 0 Td[(1)(q)]TJ /F1 11.955 Tf 11.95 0 Td[(1).(Euler'stotientfunction) 4. Choosearandomintegerelessthan(n),co-primewith(n). 5. Computed,suchthatde1(mod(n)). 6. nandeformthepublickey,whiledbecomestheprivatekey. Encryption:Toencryptamessagem,computecme(modn). Decryption:Todecrypt,onetakestheciphertextc,andcomputesmcd(modn). ForstandardsandbestpracticesforusingRSAseetheNISTpublishedstandard[ 19 ].BonehandFranklin'spublication[ 20 ]isthemostinuentialworkongeneratingsharedkeysforreal-lifeuse.Forthe30yearssinceitsrstinception,manyresearchersanalyzedthesecurityofRSA.Bonehreviewstheliteraturefortherst20oftheseyears[ 21 ].[ 22 { 24 ]havesomemorerecentdevelopmentsinthisarea. 2.3.2Paillier Paillierisahomomorphicencryptionsystem,i.e.,formessagesaandb,andakeyK,itholdsthatEK(a)+EK(b)=EK(ab),whereEK(x)standsforencryptionusingthekeyK.AlthoughnotaswidelyusedasRSAinpractice,thehomomorphismpropertymakesitapopularchoiceformanyprotocols,especiallyinacademicresearchpapers. Letn=pq,wherepandqareprime,andgsatisesgcd(L(g(modn2)),n)=1,whereL(u)=u)]TJ /F4 7.97 Tf 6.58 0 Td[(1 nand=lcm((p)]TJ /F1 11.955 Tf 11.96 0 Td[(1)(q)]TJ /F1 11.955 Tf 11.96 0 Td[(1)). Thepublickeythenwouldbe(n,g)andtheprivatekey.Toencryptm
PAGE 21

ToseewhyPaillierisahomomorphicencryptionsystem,assumethatwehavetwomessagesm1andm2.Thesewillbeencryptedintogm1rn1andgm2rn2,sothattheirproductwillbegm1+m2(r1r2)n,whichistheencryptionofm1+m2,leadingtoE(m1)E(m2)=E(m1+m2),thehomomorphismproperty.Notethatallcomputationsaredonemodulon2. ThepublicationsofPaillier[ 18 ]andBaudronetal.[ 25 ]havemoredetailsontheworkingandsecurityofthiscryptosystem.Damgard[ 26 ]showshowtogiveazeroknowledgeproofofcorrectdecryptionamethodtomakethecryptosystemathresholdencryptionscheme.RuizandVillarshowhowtogetapubliclyveriablesecretsharingprotocolusingPaillier[ 27 ]. SincePaillieristhecryptosystemusedinourproposedprotocols,andinmanyotherpreviousprotocols,wegivesomezeroknowledgeproofs(seeSection 2.7 )neededfortheapplicationofelectronicvoting. NotethatRSAishomomorphicformultiplication,whilePaillierishomomorphicforaddition.Additionhomomorphismismoredesirableforvotingbecauseofthesizecomplexityoftheballotsandoutput. 2.3.2.1ProofofcorrectdecryptionofthePaillierthresholdsystem ThePaillierThresholdSystemreliesonseveralauthoritiessharingthesecretkey.Topreventanymaliciousauthorityofobstructingthedecryptionphase,eachauthorityneedstosubmitzero-knowledgeproofsofcorrectdecryptionoftheirshares.Theconstructionsandzeroknowledgeproofsinthissectionarefrom[ 28 ]. LetGbeacyclicgroupofunknownorderm.LetgbeageneratorforandhanelementofG.WewanttoshowthatdiscreetlogarithmofanelementGinthebasisgandofanotherelementHinthebasishareequal,withoutmakingtheordermknown.Tosimplifytheuseinpracticalapplications,anon-interactivezero-knowledgeproofisgiven.Letrbearandomnumberin[0,A].Computex=grandx0=hr.LetebethehashvalueH0(g,h,G,H,x,x0),whereH02[0,B].Lety=r+es.Aproofof 21

PAGE 22

equalityofdiscreetlogsissuchapair(e,y)2[0,B][0,A].Itischeckedbytheequatione=H0(g,h,G,H,gy=Ge,hy=He). 2.3.2.2ThresholdversionofPailliercryptosystem InthissectionwedetailthethresholdversionofthePailliercryptosystem,includingthezero-knowledgeproofsofcorrectdecryption. KeyGeneration.Choosen=pq,suchthatgcd(n,'(n)=1).Letm=(p)]TJ /F4 7.97 Tf 6.59 0 Td[(1)(q)]TJ /F4 7.97 Tf 6.59 0 Td[(1) 4.LetbearandomelementfromZn.Randomlychoose(a,b)2ZnZn.Setg=(1+n)abn(modn2).ThesecretkeySK=missharedwiththeShamirscheme:let0=m,randomlychoosetvaluesaiinf0,...nm)]TJ /F1 11.955 Tf 11.99 0 Td[(1g.Letf(X)=ti=0aiXi.ThesharesioftheithserverPiisf(i)(modmn).ThepublickeyPKconsistsofg,nandthevalue=L(gm)=m(modn).LetVK=vbeasquarethatgeneratesthesubgroupofsquaresinZn2.ThevericationkeysaregeneratedbyVKi=vsi(modn2),where=s!andsisthenumberofservers. Encryption.ToencryptamessageM,randomlypickx2Znandcomputec=gMxn(modn2). ShareDecryption.TheithplayerPicomputesthedecryptionshareci=c2si(modn2)usinghissecretsharesi.Usingthegivenproofofequalityofdiscretelogarithms,hemakesaproofofcorrectnessbyshowingc4(modn2)andv(modn2)havebeenraisedtothesamepowersiinordertoobtainc2iandvi. Combining.Assumingthatatleasttdecryptionshavevalidcorrectnessproofs,letSbethesetoftvalidshares.TheplaintextiscomputedbyM=L Yj2Sc2Sjj(modn2)!1 42(modn2) whereSj=Qj02Snfjgj0 j0)]TJ /F4 7.97 Tf 6.58 0 Td[(j2Z 2.3.3EllipticCurveCryptography FirstintroducedbyVictorMillerandNealKoblitz[ 29 ],ellipticcurvecryptographyusesalgebraicpropertiesofellipticcurvestoconstructpublickeyencryptionsystems. 22

PAGE 23

TheadvantageoversystemslikeRSAisthatthereisnosub-exponentialmethodofdeconstructionofthekeys,makingthemsometimesmoreecientthanothersimilarsystems.ForadetailedandtechnicaloverviewseetheoverviewofLopezetal.[ 30 ]. 2.4BlindSignatures Althoughcryptographicsignaturesareusedextensivelyinmanyprotocols,inmanycasesthereisaneedforawaytosignamessagewithoutactuallybeingabletoreadit.Inanutshell,thisiswhatblindsignatures[ 1 31 { 33 ]accomplish.Onepotentialapplicationfortheseschemeswouldbetousethemfornotarypurposes-ifthesigneddocumentissecretandvaluable.Anotherwouldbetousethemintime-stampprotocols.Oneresearchareawhereblindsignatureswerefundamentalformostsolutionsise-cash.Theabilitytogete-cashfromauthoritieswithoutactuallymakingittraceableisaproblemwhereblindsignaturesweresuccessfullyapplied. Toseehowablindsignatureschememightwork,considerthissimple(yetnotverysecure)methodbasedonRSA:Togetablindsignatureforamessagem,thesenderrstgeneratesarandomnumberr,whichisco-primewithn=pq.HethencalculatesM=mremodn,whereeisthepublicexponentintheRSAsystem,andsendstheresulttothesigningauthority.TheauthoritysignsthemessagebyndingS=Mdmodn,wheredistheprivatekeyoftheRSAsystem.Nowthesendercangetthesignatures=Sr)]TJ /F4 7.97 Tf 6.59 0 Td[(1modn.Becauserisrandom,thesignergetsnoinformationaboutthemessage,yetthereceivercancheckthesignaturebycomparingstomd. Researchonblindsignatureswasveryactiveinthe80'sand90's,whereprotocolswithdierentsecuritycharacteristicswereproposedandwheretheseprotocolswereusedfordierentproblems[ 34 { 36 ]. 2.5Mix-nets Mix-netswereinventedbyChaum[ 37 ],withtheaimofsendinganonymousemail.Laterimprovementsmadeitusefulforseveralotherpurposes.Thekeyideaistoputseveralmessagesintosecure`envelopes',whicharelatermixedbyseveralnodessothat 23

PAGE 24

attheendthelinkbetweentheleavingmessagesandarrivingmessagesarelost.Thechallengeisensuringthatthemixes(shues)aredonecorrectly(i.e.,withoutoneofthenodescheatingbychangingoneormoreofthemessages)andeciently.Thisisusuallyhandledbyre-encryptingtheencryptedinputsandhavingthenodessubmitzeroknowledgeproofsthatthere-encryptionsarecorrect,withoutrevealingtheexactmappingofthemix.Ofcourse,thelengthoftheseencryptedmessagesneedtobeuniform,sothatonecannotdiscoverthemappingbyobservingthelengthsoftheinputandoutputtoamix.Designingecientmix-netsisstillanactiveresearchtopic[ 38 { 42 ]. 2.6SecretSharingProtocols Asecretsharingprotocolisusedtoshareasecret(usuallyjustakey)amongmanyparties,suchthatthekeycanonlybereconstructedwhenallpartiesagree.Severaldierentwaysofsuchprotocolsareproposedovertheyears[ 1 28 ].Topreventvariousproblems,someimprovedprotocols-calledthresholdsecretsharingprotocols-aredesignedsothatkoutofnoftheplayers(kn)aresucienttoreconstructthesecret.Thesearealsoguaranteedtobesecureeveniftherearecertainnumberofmaliciousparticipants[ 25 ].Recentlysomenewprotocolsarepublishedwherethereisnotevenaneedforacentralauthoritytodistributethesharesofthekey[ 43 44 ].MethodspublishedbyFouqueandStern[ 45 ]aswellasbyDamgardandKoprowski[ 46 ]canbeusedtoturngenericsecretsharingprotocolsintotrusteddistributorfreeprotocols. Averysimplesecretsharingprotocolwouldgeneraten)]TJ /F1 11.955 Tf 11.96 0 Td[(1randombinarynumbersri.Thesenumbersarethendistributedtotherstn)]TJ /F1 11.955 Tf 10.48 0 Td[(1players,whereasthelastplayerwouldgetkr1r2...rn)]TJ /F4 7.97 Tf 6.59 0 Td[(1wherekisthesecretbeingsharedandisbitwiseXOR.Toreconstructthesecret,allnplayersneedtocometogetherandcombinetheirpartsusingthefunctionagain. Togetasimplethresholdschemewheretherearenplayersbutk
PAGE 25

auniquepolynomialofdegreek.Notethatthismethodwouldalsomakeitpossibletorecognizeafewmaliciousplayersgivingfalseinformationifsucientlymanyplayersarehonest.ThismethodistherstthresholdsecretsharingprotocolpublishedbyAdiShamirin1979[ 47 ]. 2.7ProofsofKnowledge(Zero-KnowledgeProofs) FirstintroducedbyGoldwasser,MicaliandRacko[ 48 ],theseareprotocolswhereoneplayercanproveknowledgeofsomefacttotheotherplayer,withoutactuallyrevealingthefact.Theirroleisfundamentalinmanycryptographicprotocols,whensomeparticipantscannotbeassumedtobehonest.Usuallybasedonthechallenge-response-vericationparadigm(asinthecut-and-chosemethod),ingeneraltheycanbemadenon-interactiveusingtheFiat-Shamirprotocol[ 25 49 ].Forsomepracticalexamplessee[ 50 ],andforamoretheoreticoverviewsee[ 51 ]. Inthefollowingsectionswegivetwoexamplesofzeroknowledgeproofs.Therstoneisusedtoprovethatanencryptedtextistheencryptionofastringinagivenset.Thisproofhasseveralapplications[ 25 ]inthecryptographicprotocolsarea.Thesecondoneisrelatedtomix-nets.Itisusedtoprovethatashueperformedduringamixiscorrect,i.e.,thereisaone-to-onemappingbetweentheincomingandoutgoingciphertextssothattheirplaintextsarethesame. 2.7.1ProofofMembershipofaGivenSet Toprovethattheencryptedvoteisactuallyvalidandwell-formed,i.e.,itisasinglevoteforasinglecandidate,weuseazero-knowledgeproofshowingthattheplaintext(unencryptedvote)liesinasetofstringsconsistingofsinglevotesforcandidates.Inotherwords,weshowthatc(x,y)isanencryptionofamemberofthesetS=f1,M,M2,...,Mp)]TJ /F4 7.97 Tf 6.58 0 Td[(1g.Thisisaccomplishedusingthezero-knowledgeproofdetailedin[ 25 ],whichisthesourceofthissection. LetSbethesetofmessages(asdescribedaboveinourcase),andc=gmirN(modN2).ToprovetoVthatcencryptsamessageinS. 25

PAGE 26

1. TheproverPpicksarandominZN.Herandomlypicksp)]TJ /F1 11.955 Tf 12.1 0 Td[(1valuesfvjgj6=iinZN,andcomputesui=pN(modN2)andfuj=vNj(gmj=c)ej(modN2)gj6=i.HethensendsfujgtoV. 2. Vchosesarandomchallengeein[0,A)andsendsittoP. 3. Pcomputesei=e)]TJ /F1 11.955 Tf 12.45 0 Td[(j6=iej(modN)andui=reig(e)]TJ /F4 7.97 Tf 6.59 0 Td[(j6=iej=N(modN)andsendsfvj,ejgj2f1,...,pgtoV. 4. Vchecksthate=jej(modN)andthatvNj=uj(c=gmj)ej(modN2)foreachj2f1,...,pg. 2.7.2ProofofKnowledgeforaRandomShue Inourwrite-inprotocol(Chapter5)weusethesameunderlyingmechanicsastheVector-BallotProtocolfromKiayiasandYung.Thefollowingzero-knowledgeproofsaretakenfrom[ 52 ].Herewegivethenon-interactiveversionforsimplicity. DenethepredicateQm,Vcipheras:Qm,Vcipher(r)=1ipk(r,m)=V whereistheencryptionfunction.Alsonotethatproofsofknowledgesofpredicatescanbecombinedbyconjunctionsanddisjunctionseciently[ 52 ]. TherandomizationofaciphertextCisdonebyC0=pk(0)C.BydeningQC1,C2,C01,C02shue(r1,...,rk,)=1iC0(j)=pk(rj,0)Cj WereducetheprooftotheusualproofofcorrectencryptionofPaillier,bycombiningthevectorballotsasdisjunctionsandconjunctions. 2.8TheCut-and-ChooseMethod Thismethodisacommonwayofconstructingzeroknowledgeproofs.Thenamecomesfromawell-knownpuzzle:HowcanAliceandBob,whodonottrusteachother,cutacakeintotwopartswithoutmakinganymeasurements,sothatbotharesatisedwiththeirhalf?ThesolutionofthispuzzleisthatAlice(orBob)cutsthecakewhileBob(Alice)picksthehalfhe(she)prefers.TheideaisthatsinceBobwillpickthelargerone 26

PAGE 27

ifthehalvesarenotthesamesize,Alicewillcutthecakefairly.ThewaythisideausuallyworksincryptographyiswhenPatrickwantstodemonstratetoVictorthatanumberusedinaprotocolsatisesacertainproperty,withoutshowingitdirectly,asthiswouldrevealthesecretthatshouldremainhidden.Toaccomplishthis,Patrickselectsnnumbersthatsatisfythisproperty,andVictorrandomlychosesn)]TJ /F1 11.955 Tf 12.62 0 Td[(1oneofthesenumbersandchallengesPatricktodemonstratethatthepropertyissatisedforthese,whichPatrickdoes.Tocheat,PatrickneedstoguesswhichnumberVictorwouldchose,whichhasaprobabilityofn)]TJ /F4 7.97 Tf 6.59 0 Td[(1 n,meaningthatforlargenVictorcanbeconvincedthatPatrickisnotcheating. 2.9MasterKeyGeneration SometimesitisdesirabletohaveamasterkeyK,whichhasaccesstoalltheinformationtheunderlyingkeysKihave(i.e.,candecryptthemessagesthattheunderlyingkeycan),butwhichcannotbeconstructedusingtheunderlyingkeys.KieslerandHarn[ 53 ]suggestsasolutionforthisproblem. Hereisasimplemasterkeygenerationprotocol,duetoAkl[ 54 ].AssumetherearenhierarchaluserlevelsUi,suchthatUihasaccesstoalluserlevelsUjforwhichij.Thealgorithmtogeneratethekeysareasfollows.Allcalculationsaredonemodulon=pq. 1. ThecentralauthoritygeneratesarandomkeyK0. 2. EachuserUiisassignedapublicintegerti=QUnUipn,wherepiisasmallprime,andakeyKi=kti0. 3. NowuserUicangeneratethekeyforUjbyKi=Kti tjj.Thisonlyworksifti tj,whichisonlytruewhenij. 2.10SummaryofBuildingBlocks Thesearethemostimportantconstructsthatwillhaveanintegralroleintheprotocolswepropose.Whilecryptographichashfunctions,publickeyencryption(specicallyPaillier),secretsharingprotocolsandzero-knowledgeproofswillbedirectlyorindirectlyusedinmorethanoneprotocolwepropose,blindsignaturesareexplained 27

PAGE 28

becauseoftheirrelationtofairblindsignaturesthatwillbediscussedlater.Ontheotherhand,mix-netswillbeusedwhenconstructingwrite-inballotsupportforelectronicvotingsystems,andmasterkeygenerationwillbeusefulinaddingaccesscontroltoourrevocablepseudonymityprotocol. 28

PAGE 29

CHAPTER3REVOCABLEANONYMITY 3.1IntroductiontoRevocableAnonymity Anonymity,inadditiontoprivacy,authenticity,andintegrity,isaprimaryapplicationofcryptography.Severalproblemsrequiremethodssupplyinganonymity,anditisthekeyissueforsomeproblemsintheeld,e.g.,e-cashande-voting.SeveralgeneralpurposenetworkslikeAnonymizer1orTor,2ormorespecicanonymousnetworks,liketheP2P(peertopeer)networkFreeNode,3havebeendesignedovertheyears,andtheirpopularuseunderscorestheneedforanonymityintodaysworld. Althoughthesenetworksaretechnicallysound,therearesomecaseswhereanonymityisrequiredbutthesenetworksarenotsucientlyequippedforpracticaluse.Oneexampleisthatsometimesitispreferablenottohavecompleteanonymity,usuallytopreventusersfrombreakingtherulesorbeingabletostopcriminalsbynotlettingthemhidebehindtheanonymitysuppliedbythesenetworks.Awellknownexampleforsuchaproblemise-cash,wheremoneylaunderingandblackmailisaseriousproblemthatcannotbesolvedwithcompletelyanonymousnetworks.Theseissuescausedresearcherstodeveloprevocableanonymity,whereauthoritieshavethepowertoidentifyusersparticipatingintheprotocoliftheneedarises. Eventhoughthatisusuallyasucientsolutionwhenthereisoneauthority(likeajudgeinreallife)whoshouldhavethepowertodecideifanonymityshouldberevokedforauser,insomeapplicationsgivingthismuchpowertoasingleentityisnotideal.Ourproposedprotocolisapracticalsolutionforthoseapplications.Itdistributesthepowertorevoketoseveralauthorities-thankstoShamir'ssecretsharingprotocol,ensuringthatat 1http://www.anonymizer.com/2http://www.torproject.org/3http://freenode.net/ 29

PAGE 30

leastsomeminimumnumberofthemagreeonthenecessityforrevocation.Furthermore,itassignspseudonymstousers,whichmakesitpossibletohaveadistinctpresence(orreputation)inthenetwork,sothatmessagesfromthesameusercanbeveriedtobeso,whilestillbeinganonymousorratherpseudonymous.Anotheradvantagetotheuseofpseudonymityfortheregistrarsisthepossibilitytoseeallthemessagesthataspecicusersent,whichcanbeusedtodecideifrevocationisindeednecessary.Ourmaincontributionistheuseofpseudonymityalongsideaschemegivingapossibilityofrevocationwhenasucientlylargegroupofauthoritiesagreeontheneedforit. 3.2ProblemDenition Theproblemweareaddressingcanbespeciedingeneraltermsasdesigningaprotocolthatsimulatesamessageboardsatisfyingthefollowingrequirements: 1. Postingtotheboardrequiresregisteringapseudonymandanasymmetrickeypairassociatedwithit.Howevertheregistrarshouldnotbeabletodiscoverthelinkbetweentheusersandpseudonyms.Registrationwillrequireauthentication,howevertheextenttothiswilldependontheapplication.ItcanvaryfromrealwordauthenticationlikedriverslicenseIDorsocialsecuritynumber,tojusttheIP(Internetprotocol)addressorevenanemailaddressoftheuser. 2. Theusercanpostseveralmessagesusingthesamepseudonym.Sincethesemessageswillneedtobesigned,nouserwillbeablesendamessagewithoutapseudonym,orusingafakeone. 3. Ifkoutofnregistrarscooperate,thelinkbetweenthepseudonymandtheusercanbeidentied.Sinceallmessagesaresignedbyakeyassociatedwithaspecicpseudonym,allthemessagesfromthatparticularuserwillbeknown.Iftherearelessthankregistrarscooperating,thepseudonymcannotpossiblyberevealed. Inadditiontotheserequirements,securityandprivacyconcernswillalsoneedtobesatised. 3.3PreviousWork Inthecryptographicprotocolsarea,thereareseveralresearchproblemswhicharesimilartoourproblem.ElectronicVoting-tosomeextent-sharessomesimilaritiestothisproblem,asitalsorequiresauthenticationandanonymity.Howevere-cashisprobablythemostsimilar,becauseunlikevoting,e-cashprotocolsarenotusedjustforonemessage. 30

PAGE 31

Themajordierencebetweenbothoftheseproblemsandtheproblemathandistheneedtoeliminateduplicates{inourproblemitispermissibletosendseveralmessagesafteroneregistration.Anotherdierenceistheuseofpseudonyms,whichisnotusedine-cashprotocols,asitwouldlinktransactionsandtherebyreduceanonymityandprivacy.Asnotedbefore,thee-cashliteraturehasmanyideaswhichmightbeagoodstartingpointforthisprotocol.Themainreasonforthisis(otherthanthegeneralsimilarityoftheproblems)thatinrecentyearsmuchresearchhasbeendonetopreventtheuseofe-cashforcriminalactivitieslikemoneylaundering.Thishasresultedinmanyprotocolswheretheanonymitycanbecompromisedifauthoritiesseeacriminalactivity.Themostcommonlyusedprincipleintheseprotocolsistheuseoffairblindsignatures. Thereareseveralschemeswhichemployrevocableanonymityschemesinthecontextofe-cash[ 55 { 59 ].Themaindierencesbetweentheseprotocolsareusuallyinhowmuchtheauthorities/trusteesareseparatedfromthee-cashissuerbanks.Someoftheseprotocolsusemarkerstolaterdetectthemisusedorunfairlyreceivedmoney[ 58 59 ],whileothersrecovertheidentityoftheuser.Therearealsodierenceswithrespecttoeciencyanddefensestosomeesotericattacksagainstthesystems. Preventingcriminalsfromusinge-cashsystemsfortheirownpurposeswasthekeyreasonolderprotocolswerenotconsideredpractical.In1995,Stadleretal.proposedavariationonblindsignatures,calledfairblindsignatures,specicallyforthisproblem[ 60 ].Camenischetal.designedane-cashsystemwheretheanonymitycanberevokedbythirdpartytrusteestopreventcriminalsfromusinganonymityfortheirownpurposes[ 57 ].Thedierencefrompreviousworkwasthatitdoesnotuseaninecientcut-and-pasteschemeanddoesnotnecessitatethetrusteestobepartoftheauthorizationprocess.JakobssonandYungproposeaprotocolwhichalsoguardsagainstpossibleattackslikecoercionofcashissuingbanks[ 55 ].Althoughitmightbepossiblefortheseprotocolstobemodiedtobeusedforourpurposes,theneedforminimalinvolvementoftheauthoritiesoneachtransactionandtherequirementofkoutofnsecuritythresholdturnouttobeserious 31

PAGE 32

problems.Anotherimportantproblemwouldbe{similartotheproblemwithgeneralpurposeanonymizers{thecasethatmessagescannotbelinkedtothesameuserwithoutrevocation,whichisarequirementinourmodel. Therearealsosomegenericschemesforcontrolledanonymity.Claessensetal.haveseveralpublications[ 61 { 63 ]aboutthisproblemaspartofthe\APES:AnonymityandPrivacyinElectronicServices"workgroupintheKatholiekeUniversiteitLeuven,Belgium.BoththeirworkandtheworkofKopselletal.[ 64 ]haveasapurposethedesignofgeneralmethodsforcontrollinganonymity,usuallybuildontopofageneralpurposeanonymouscommunicationsystemlikeDC-nets[ 65 ]orTor(theonionrouter).Butsincethisserviceisbasedonageneralpurposeanonymousnetwork,applyingittoourproblemwouldbedicult.Onereasonistheassumptionofananonymousnetworkwheretheprotocolcanoperate.Anotherpointistheneedtocombinethejudge,thelawenforcementagencyandtheauthoritiesintoonewithoutjeopardizinganonymity,becausethesepartiesarealldierententitiesinthesenetworks.Butthemostseriousproblemisthataprotocolconstructedthiswaycanonlyidentifythesenderforeachmessageseparately,andthereisnoeasywaytondallmessagessentbythesameuser(withoutopeningthemall),ordeducingiftwomessagesaresentbythesamesenderwithoutopeningthem.Inotherwords,pseudonymsarenotused,andeachmessagehasineectadistinctrandompseudonym. Severalotherpublicationsproposedrelatedprotocols.ZwierkoandKotulskiproposeaschemewhereauthenticationisdoneonagrouplevel,i.e.,anyoneinacertaingroupcanauthenticatehimselfasamemberofthegroup,buthisexactidentityisnotknownoutsidethegroup[ 66 ].Revocationthenisdonebyidentifyingtheexactmemberofthegroupthatinitiatedtheprotocol.Wierzbickietal.proposeaprotocol,designedespeciallyforad-hocnetworks,butwhichcanbeappliedtoawiderrangeofproblems[ 67 ].Itsupportsauthentication,withpossiblerevocations.Howeverastheprotocolfocusesonnetworkbasedattackslike`maninthemiddle,'eachmessage(orratherconnection)carriessome 32

PAGE 33

overhead,whichwouldaectperformanceinmostsettings.AnothersimilarprotocolisproposedbyLysyanskayaetal.[ 68 ],howeverlikemanyothersimilarprotocolsitdoesnotsupportrevocation. 3.3.1APES:ControlledAnonymousConnections Claessensetal.propose3dierentmethodsforcontrolledanonymity[ 61 ]: 3.3.1.1Basicsolution Theentitiesare:theinitiatorwhoistryingtoaccesstheInternetanonymously,themixentityprovidingtheanonymityservice,themanagemententitydistributingticketsneededfortheserviceandhavingtheabilityofrevocation,whenthetrusteeneedstocooperate. ToaccesstheInternet,theinitiatorgeneratesasessionkey,wherethepublickeywillbetheticket.Usingafairblindsignature,themanagemententitysignstheticket,aftertheinitiatorauthenticateshimself.Thecommunicationlogsarestored,whichenableslaterrevocation.ToconnecttotheInternet,theinitiatorsendsthesignedticketandtherespondersaddresstothemixentityalongwithaproofofknowledgeoftheprivatekeyoftheticket(asasignature).Themanagemententityveriestheinitiator'ssignature,logstheticketandsignatureinformation.Themixentityontheotherhandsetsupasecurechannelbetweentheinitiatorandresponder.Sincethecommunicationismixed,thecorrespondencebetweentheinitiatorandresponderarehidden.Fortherevocationprocess,themanagemententityandthetrusteeretrievethestoredinformationabouttheticketandusingtheunderlyingfairblindsignaturerevocation,determinetheidentityoftheinitiator. 3.3.1.2Distributedsolutions Toincreasethelevelofanonymityanddecreasetheamountofnecessarytrustonthemixentity,thepreviousprotocolcanbegeneralizedtoadistributedsystem.Twosolutionsaregiven,onebasedonOnionroutingandonetheCrowdssystem. 33

PAGE 34

Althoughsimilarindesigntoourmodel,thereareseveraldierencesbetweentheseprotocolsandourproposedprotocol.Themostimportantoneisagainthelackofpseudonyms.Here,dierentconnectionsfromthesameuserarenotlinkablewithoutrevocation,whileitisarequirementinourmodel.Anotherdierenceistheuseof(orlackof)thresholdsystemfortherevocationprocess. 3.3.2PseudonymousCommunicationsInfrastructure InhisPhDthesis[ 69 ],Goldbergdenesthenymityofatransactiontobethelevelofidentitythatisrevealed.Thesearecategorizedas: 1. Verinimity:Socialsecuritynumber,addressetc.Linkabilityandpermanencearethetwokeypropertiesforthistype. 2. PersistentPseudonymity:Pseudonym(inthepennamesense).Anothertypecouldbedenedasunforgability,wheresomeoneelse'suseofthesamepseudonymisprevented. 3. LinkableAnonymity:Prepaidphonecards,frequentpurchasercardsetc. 4. UnlikableAnonymity:Cashetc. GoldbergthencontinuestodesignananonymousIPinfrastructure(AIPI),whichhasthreekeycomponents: 1. TheIPWormhole:Thisisacommunicationchannel,whichcanbesetupbyaclientbetweenhimselfandanexitnode,andusedtoprotecttheidentityoftheclientfromadversaries.Althoughtherearesomedierences,theexitnodesaresimilartoproxiesthatareusedinotheranonymizernetworks,andtheWormholeIPisjustastructurethatusestechniquessimilartoIPtunnelingtohidetheidentityoftheclientfromtherestoftheworld. 2. TheNetworkInformationDatabase:Thisisadatabasethatkeepsalistofalltheexitnodesalongwiththeirprivatekeys. 3. ApplicationLevelProxies:TheseareproxiesthatsanitizetheincomingdataforanonymityandtoprotectAIPIfromattacksorfrommalicioususes. ThesimilaritiesofGoldberg'sworkandourworkisthatanonymityisnotrevocable.Furthermore,althoughthedetailsarenotstatedhere,thisprotocolisdesignedasalayer 34

PAGE 35

ontopofthecurrentlyusedTCP(transmissioncontrolprotocol).Hisprotocolismuchmoregeneral,buthedoesnotconsiderrevocation. 3.3.3AnonymousPublication GoldbergandWagnerproposeaprotocolwhichfeaturesanonymouspublication[ 70 ].Theideaistouserewebbersasthebackbone.Theserewebbersareverysimilartonodesusedinonionrouting,exceptrewebbersoperateontheapplicationlevel,soinawaytheyoerasimpliedversionofonionrouting.Therewebbersmakeitpossibletohidethelocationofthemainservers.ThisisaccomplishedbynestingtheURLs(uniformresourcelocator),onlytheimmediatenodeonthepathbeingvisible,therestbeingencrypted.Ontopofthesearetheso-calledtazservers.Theseserverssupplythemainpublications,usuallyinanencryptedmanner.Thispreventslocatingtheserverbysearchingthetextafteronereceivesadocument.Thetazserversalsosupportpseudonyms,whichmakesthemmoreinteresting.Thesimilaritiesofthissystemandoursuggestedsystemiseasytosee,bothsupplyawaytopublishdocuments(ormessages,thereisnorealdierence)fromauserwithapseudonym.Butthewaytheyworkisverydierent.Inoursystemregistrationisrequired,sothereisanauthenticationrequirement,whereasthereisnonewhenusingtazservers.Alsotazserversdonotsupportanonymityrevocation,althoughthisdoesnotmeanthattheIDorlocationoftheservercanneverbediscovered. Whilesomeoftheseprotocolsaremoregeneric(andhencehavemorerequirementsfromtheenvironmenttheycanbeusedin)thannecessary,theothershavenopseudonymorrevocabilitysupport.Inshort,neitheroftheseprotocolscanbeusedasasolutiontoourproblem,whichistohaverevocablepseudonymitycombinedwithathresholdschemeforpossiblerevocations.Inthenextsectionwegiveourproposedprotocolwhichsolvesthisproblem. 3.4OurContribution:RevocablePseudonymityProtocol Theprotocolisbasedonthefairblindsignatureprotocolusingcut-and-choose,designedbyStadleretal.[ 60 ].Itusesfairblindsignaturestoregisterthepseudonym-key 35

PAGE 36

pair,withouttheregisteringpartyseeingthepseudonym.Thiswaythelinkbetweentheuser'sidentityandthepseudonymcanonlybeuncoveredbyusingtherevocationprocedure.Furthermore,thekeyrequiredfortherevocationprocedureissharedbetweenmultipleauthoritiesusingathresholdsecretsharingsystem. Beforetheregistrationphase,theregistrarswillhaveobtainedasharedkeytobeusedincaserevocationisrequired.Duringtheregistrationphase,theuserregistersapseudonymandanassociatedpublickey,whichthesignerwillnotbeabletoseeandthereforewillnotbeabletolinkafterwardstotheuser.Aftertheregistration,theuserwillbeabletosubmitmessagesusingthepseudonymandaddingasignature,whichcanbeveriedwiththeassociatedpublickey.Theregistrarswillsaveatranscriptoftheregistrationphaseinadatabase,whichcanlateronbeusedtorevokeanonymity. 3.4.1Participants Beforegivingacompletedescriptionoftheprotocol,welisttheinvolvedparties: TheuserU,whoistryingtoregisterapseudonymPanditsassociatedpublickeyPK. ThenregistrarsRi,whowillhavethepowertotracetheuserofanymessage,whenkofthemagree.Theregistrarswillonlybeanactivepartoftheprotocolduringapossiblerevocation. ThesignerS,whowillbesigning(P,PK),therebygrantingtheuseraccess.Scanbeoneoftheregistrarsoradierententity.SwillneedtobeabletoauthenticateU,butcanalsodelegatethisprocesstoanothertrustedparty. Thebasicscenariowillstartwiththeuserregisteringapseudonymtothesigner,wherebythesignercheckstheauthenticationoftheuserandgivesthepseudonymaccessattheend.Theuserwillthenbeabletopostseveralmessagesusingthepseudonym,withoutbeinglinkedtoit.Wewillalsodescribehowtheregistrarsmightrevoketheanonymityoftheuserbyestablishingthelinktohispseudonym,ifasucientnumberofthemagreetodoso. 3.4.2Parameters Table 3-1 liststheparameters,variablesandfunctionsusedintheprotocol. 36

PAGE 37

Table3-1. Revocablepseudonymityprotocolparameters (N,e)andd Thesigner'spublickey,andprivatekey,respectivelyER Theregistrar'sencryptingfunction.Itcanbedecryptedbykoutofnregistrars.Thekeyscanbedistributedwithoutatrustedauthorityusinganyoftheprotocolsdevisedforthispurpose[ 43 44 ]H Aone-waysecurehashfunctionp Asecurityparameter.Increasingpwilldecreasetheforgingprobabilityexponentially,butwillincreasetheoverheadlinearlym TheconcatenationofPandPK,separatedbyadelimiter 3.4.3ProtocolSpecication Inthissectionwedetailthespecicationoftheprotocol.Werstdescribetheregistrationphase,andafterwardstheprocessusedforsendingmessagesandrevocationareexplained. 3.4.3.1Registration Thefollowingisthedescriptionoftheregistrationphase. 1. Afterauthenticatingherself,Ufori=1,...,2prandomlychoosesri2Zn,andstringsi,i.Shethencalculatesui=ER(mjji)andvi=ER(IDjji).Afterwhichshesendsmi=reiH(uijjvi)(modN)tothesigner. 2. ThesignerthenchoosesasubsetSfrom1..2pofsizep,andsendsitasachallengetoU.ThiswillaskUtodemonstratethatmi'sarewell-formedwithhighprobability. 3. Foreveryi,Usendsri,ui,iasachallengeresponse. 4. Foreveryi,thesignerchecksifmiisequaltoreiH(uijjER(IDjji))(modN).Iftheycheck,beingconvincedthatallmi'sarewell-formed,hesendsbackb=(Qi=2Smi)1=e(modN). 3.4.3.2Sendingmessagesandrevocation Aftertheregistrationphase,theUcanstartsendingmessages,whichwillincludesignaturesthatthesystemwillverify.Inthissectionweexplainhowthisisaccomplishedandhowapossiblerevocationwouldwork. 37

PAGE 38

Thesignaturecanbeformedbys=b Qi=2Sri(modN)andthesetT=f(i,vi):i2Sg Thesignaturecanbeveriedbyse=Q(,v)2TH(ER(mjj)jjv)(modN). Giventhesignature(s,T),koutofnregistrarscanidentifytheuserbycalculatingIDfromthevi'sinT.SincethekeyforERaresharedbetweentheregistrars,itcannotbedecryptedwithoutatleastkofthem. 3.4.4TheMathInDetail Checkingthesignatureisperformedbyse=Q(,)2TH(ER(mjj)jjv)(modN).Toseewhythisworks,recallthats=b Qi=2Sri(modN),so se=b Qi=2Srie(modN)=be Qi=2Srie(modN)=be Qi=2Srei(modN)=)]TJ /F1 11.955 Tf 5.48 -9.69 Td[((Qi=2Smi)1=ee Qi=2Srei(modN)=Qi=2Smi Qi=2Srei(modN)=Qi=2SreiH(uijjER(IDjji)) Qi=2Srei(modN)=Yi=2SH(uijjER(IDjji))(modN)=Yi=2SH(ER(mjji)jjER(IDjji))(modN)=Y(,v)2TH(ER(mjji)jjvi)(modN) 3.4.5SecurityAnalysis Withanycryptographicprotocol,caremustbegiventosecurity,i.e.,thedesign(andimplementation)oftheprotocolneedstosatisfytherequirementsoftheprotocol.Inotherwords,thereshouldbenofeasiblewayofrecoveringanysecrets,evenifsomeof 38

PAGE 39

theparticipantscolludeagainstanotherparticipatingparty.Itisveryeasytooverlooksomepotentialweaknessesagainstcertainattackstotheprotocols,furthermoreprotocoldesignersmightnotbeconsideringallpossibleattackvectors. Toanalyzethesecurityofourprotocol,we[loosely]baseourmethodologyontheanalysiscarriedoutintheworkofDiazetal.[ 62 ].Theirworkcontainsmethodologies(ratherthananalysisofspecicprotocols)ofseveraltypesofanonymityprotocols.Webuildupontheirnalmodelforanonymousemailanalysis,whilemodifyingandextendingtheirworktotourproblem. Revokinganonymitywithoutkregistrars:Sincetheregistrarsreceivenoinformationduringtheregistrationphase,therevocationwillonlybeusingthepseudonym,themessageandthesignature.ThesignaturecontainsthetuplesetTcontaining(i,vi)alongwiths=b Qi=2Sri(modN).HoweversiscomputedwithouttheuseofID,hencetheonlyinformationtheregistrarshavetogettheIDarethetuplesetT,whereonlythevi'saresignicantfortheirpurpose.Iftheycandecryptevenjustoneofthesevi'stheywouldbeabletogettheID,howeverthe'sprevent(actingassalt)anytrial-and-errormethod,sotheproblemreducestodecipheringanyoneofthevi's.Thishoweverisassumedtobesecurebythesecretsharingprotocol,hencetheregistrarscannotidentifytheID.Thereforeweconcludethattheunderlyingsecretsharingprotocolensuresthatwithoutkoutofnregistrars,theywillnothavesucientinformationtondtherealidofauser. RevocationWithouttheApparentNeed:Thisisaproblemthatisnot(orcannotbe)solvedinourmodel.Itisassumedthatfewerthankoutofnregistrarswouldbecolluding,andsothisproblemreducesto`RevokingAnonymityWithoutkRegistrars'.Still,iftheabovementionedassumptioncannotbereasonablymade,theproposedprotocolwouldnotbeagoodt. SendingMessagesWithoutRegistering:Avalidmessageneedstohaveavalidpseudonym/signaturepair,soitisnotpossibletosendamessagewithoutregistering. 39

PAGE 40

Also,forgingthesignaturerequiresbreakingthepublickeyencryptionsystem.Notethatthepreventionofnon-validmessageswillbedoneontheimplementationlevel,wheretheywilljustbediscardedratherthanpostedbytheserver.Toseewhyforgeriesneedtobreakthepublickeysystem,notethatthesignaturewillneedtosatisfyse=Q(,v)2TH(ER(mjj)jjv)(modN).Evengiventheopportunitytochoseany(,v),theforgereitherneedstohaveaccesstothepublickeyoftheregistrar,orbreakthepublickeysystemtogettheER(mjj)part.Withoutthat,theonlyotherpossibilityisthattheforgercangeneratearequiredhashvaluebyadjustingoneofthevvalues,whichweassumedisnotpossiblebyourchoiceofsecurehashfunction.Soundertheseassumptions,thesignatureisnotforgeable. LinkingMessagestoUserswithoutRevocation:Withoutkoutofnregistrars,theywillhavethesameinformationastheunderlyingfairblindsignatureprotocolhas,sothesafetyofthisprotocolissatisedifitssafetyis.Anotherwayofseeinghowthisisnotpossibleisbyconsideringtheeasierattackof`havinglessthankregistrarscolludetorevokeanidentity'weanalyzed,whereweconcludedthatitisnotpossible.Anyattackerwillhavelessinformationthantheregistrars,sothisattackwouldbeatleastasdicult.Anotherpossibleweaknessisthecommunicationchannelhavingaleakwherebytheidentityofausercanbedetermined.Thiscanbepreventedbyusingsecurecommunications,whichisdelegatedtotheimplementationphaseandnotdiscussedindetailhere. LinkingMessagestoEachOther:Thisisofcoursepossibleaspartoftheprotocolbydesign.Howeverifauserhastwopseudonym's,linkingthosetwowouldonlybepossibleifthesameidentityisused,inwhichcasetheproblemreducesto`LinkingMessagestoUserswithoutRevocation'. SendingNon-authenticMessages:Thisrequiresthemessagestobesignedusingforgedsignatures.Sinceamalicioususerwouldonlyhavethepublickey,thesecurityofthesystemissafeaslongastheunderlyingpublickeyencryptionsystemissafe.Also, 40

PAGE 41

thisisbasicallyjustoneaspectweanalyzedinthesection`SendingMessagesWithoutRegistering'. TimingAttacks:Likemanycryptographicprotocols,thisprotocolissusceptibletotimingattacksaswell.Theregistrarscangatherusefulinformationonnewusersbyobservingmessagesfromanewpseudonym.Butcompletelysolvingthisproblemcannotbedoneonthedesignlevelandneedstobetakenintoaccountattheimplementation/deploymentlevel.Oneideathatcanbeusedistohavea[random]minimumtimeperiodbeforeanewusercanpostamessage,whichshouldgiveatleastsomeprotectionagainsttimingattacks. 3.4.6Improvement:AccessControl Supportingaccesscontrolinourproposedprotocolwouldbeusefulinsomesettings,sointhissectionwegiveaneasywayofaugmentingthesystemwithusergroupsandaccesscontrol.Theassumptionisthatthegroupsandassociateduserswillbeknown(andadministered)bytheregistrars,althoughmodifyingthesetuptohavetheusersset-uptheirowngroupsisalsostraightforward. 3.4.6.1Singletiered Duringregistration,eachusergetskeysKiforalltheusergroupsGihebelongsto.Noweachmessage(whichalsoincludesthepseudonymofthesenderforprivacy)senttotheboardwillbeencryptedusingthiskey.Thegroupinformationwillbeadded,sothatusersofthegroupwillknowwhichkeystouse. 3.4.6.2Multitiered Hereweexplainhowatwotieredsetupwouldwork,generalizingtomultipletiersisstraightforward.Theassumptionisthattherearetwolevelsofpermissions:theadminandusergroups. Atthebeginning,usingamasterkeygenerationalgorithm[ 53 ],onegenerateskeysKiforgroupsaswellasthemasterkeyK.Nowtheprocessisidenticaltothesingletieredprotocol,excepttheadmins(userswiththemasterkey)haveaccesstoallthegroups. 41

PAGE 42

3.4.6.3Problemwithnewgroups Ifnewgroupsarecreatedaftersomeusershavealreadyregistered,thereisnoeasywayforthoseuserstogainaccesswithoutanotherregistration.Tosolvethisproblem,amethodonecanapplyistohaveanotherpublicboardwherethenewkeysandpseudonyms(withaddedsalt)areencryptedwiththeuserspublickey.Regularlycheckingthisboardanddownloadingnewkeyswillbepossible,asonlytheusersthemselveshavetheirownprivatekeys.SincetheID'sarealsoencrypted,themappingsbetweenID'sandgroupswillstillbesecret. 3.4.7Applications CollaborationSystems.Therearecollaborationsystemswhereusersmightprefertoremainanonymous.Wiki'sareagoodexample,asusersmightbeinterestedinanonymity-especiallyforsomearticles.Alsohavingasinglemoderatorthatdecideswhatisacceptable/rightandwhatisnotisusuallynotdesirable,especiallysinceitiscontrarytothedemocraticspiritofwikis. MessageBoards/ChatRooms.Ourprotocolcanbeusedinplaceofanygeneralpurposemessageboard,wherebothauthenticationandprivacyareneededorpreferredandrevocationmightbeuseful.Thisusecanbeextendedtofunctionallysimilarapplicationslikechatroomsorinstantmessagingnetworks. PeerReview.Ourprotocolcanalsobeusedastheunderlyingprotocolforapeerreviewsystem.Hereauthenticationwillberequired(sothattherefereesarenecessarilyexperts),butanonymityisalsoneeded(whichisusuallythecaseinmostjournals/conferences).Revocationshouldnotbenecessary,butitsexistencemightbeuseful.Alternativelyrevocationcanbedoneafterwards,wheretheresultswillonlybeseenbytheeditorialcommittee-forexampleforevaluation/screening(ofthereviewers)purposes.Ingeneraltheprotocolcanbeusedeveninapplicationswhererevocationwillalwaysbedoneattheend,butwhereanonymityisimportantuntiltheend. 42

PAGE 43

MultiplayerGames.Inmultiplayergameswheretheidentityoftheplayerscanbeanunwantedadvantageordisadvantage,aprotocollikeourscanbeusedtohaveanonymousplayerswhoseidentitywillberevokedattheendofthegametoseewhothewinneris.Thisisalsoacasewheretherevocationdoesnotjusthappenincasearuleisbroken,butwhereitwillbedenitelyrevokedaspartofthescenario. 3.4.8Conclusion Inthischapterwepresentedamodelforapseudonymousmessage-boardsystemsupportingthresholdcontrolledanonymityandproposedaprotocolsatisfyingtherequirementsofthismodel.Webelieveithasseveralpracticalapplications,ofwhichwepresentedsome.Furthermoreitcanbeeasilydeveloped,deployedandextended.Wealsodemonstratedthesecurityofthesystembyenumeratingthepossibleattackvectorsandevaluatingtheprotocolsdefensesagainstthese. Ourprotocolgivesadetaileddescriptionofasophisticatedmessageboardapplication.Thismessageboardapplicationrequiresauthentication,whilealsoessentiallysupportinganonymity.Theprotocolwascarefullydesignedtosupportpseudonymswiththeideaofhelpingtheuserstohaveadistinctpresence(orreputation)whilenotgivinguponanonymity.Thisisthemajordierencebetweenourprotocolandotheranonymityprotocols,whichwebelievewillbeessentialinmanypracticaluses.Itisimperative,oratleastdesirableinsomecases,tohaveadistinctpresenceorsomeformofreputationinsomeapplications,forwhichwelistedseveralexamples.Webelievethattheseandvariousotherpossibleusesmakeourcontributionsignicant. Anotherdistinctionofourprotocolisthepossibilityofrevocation.Whileweadmitthattotalanonymityshouldusuallybepreferred,inseveralothercasessomelimitations(meaningpossiblerevocation)areimportantforthesecurityandhealthyfunctioningoftheprotocol.Howeveroneneedsawaytopreventarbitraryrevocations,whichourprotocolisdesignedtopreventusingathresholdscheme.Thisisnotonlyusefultopreventmalicioususersmisusingthesystem,butalsoinsomeapplicationswhere 43

PAGE 44

eventuallytheidentitywillneedtoberevealeditprovidesasecurityblanketpreventingtheauthoritiestogatherinformationabouttheusersprematurely. 44

PAGE 45

CHAPTER4ELECTRONICVOTING 4.1IntroductiontoElectronicVoting Cryptographybasedelectronicvotinghasbeenanactiveresearchareaformanyyears.Althoughseveraldierentprotocolshavebeendesigned,theyaremainlybasedononeofthreekeyideas:Mix-Nets[ 37 47 71 72 ],BlindSignatures[ 73 74 ],orHomomorphicEncryption[ 52 75 { 78 ].Theagreementamongresearchersisthattheseprotocolsshouldsatisfycertainpropertieslikeprivacy,accuracy,universalveriability,robustness,andcoercionresistance.Alsobeingconvenientforthevotersisalwaysconsideredtobeanimportantfactor. Recently,whentheincreasinguseofelectronicATM-likemachines{calledDRE's(\DirectRecordingElectronics"){inactualelectionswascriticizedforthelackofvoterverication,supportfor\paperreceipts"wereaddedtothekeyrequirementslist.AlltheseissuestookthecenterstageespeciallyaftertheelectiondebacleinFloridain2000,afterwhichtheCongresspassedthe`HelpAmericaVoteAct'(HAVA),alegislationattemptingtobringthevotingproceduresunderthefederalgovernmentspurview[ 79 ]andimprovetheguidelines,requirements,andthevotingprocesses.Severalcivilrightsgroups(VeriedVotingFoundation1isperhapsthebestknownexample)stilladvocatetheimportanceofvotervericationandithasbecomethefocalpointofvotingsystemresearchersandvotingdevicesuppliercompanies. Recentlytherehavebeenmanyprotocolproposalsforelectronicvotingsystemssupportingveriablereceipts[ 2 71 80 ].Althoughtheseprotocolshavestrongtheoreticalfoundations,currentlymostcompaniessupplyingDREsystemsprefertosolvetheveriablereceiptprobleminasimplisticwaybyhavingthevotingmachineprintoutanuntraceablevoteanddepositittothevotingboxafterthevoter'sexamination. 1http://www.veriedvotingfoundation.org 45

PAGE 46

However,theelectronicpartofthesesystemsareprobably{detailsareusuallylackingandthesystemsareproprietary{stilllackingstrongcryptographicprivacyandsecurity. Puttingasideeconomicalconsiderations,themainreasonforthisseemstobethesimplicityandeaseofuseofthesesystems.Easeofuseisalwaysanimportantconsiderationincomplicatedsoftwaresystemsforobviousreasons,butsimplicityinthiscontexthasalsoanimportantadditionaladvantage:peopletendtotrustsystemstheycanunderstand. Inlightoftheseissues,improvingthecurrentlyusedsystemsratherthantheprotocolsthataretheoreticallysounderbutareusuallynotemployedmightbemoreproductive.Tothisend,inthischapterweusemethodsthatareusedintheliteraturethatwouldimprovetheexistingpracticalsystems(Mercurimethod),withoutreducingthestrongerpropertiesofsaidsystemsandanalyzetheirsecuritypropertiesandassesstheimplicationsofhavingextrapaperballotsinadditiontoelectronicballots. Ourrstcontributionistocombinethetwopopular(althoughindierentcontexts)votingsystemparadigms,whilexingseveralproblemssomeprevioussystemshad.Perhapsourmaincontributionistheadditionofanauditingmechanismwhichmakesitpossibletosamplethepaperballotstocheckthecorrectnessoftheelectronicvotesandgiveanotherlayerofsecuritytothewholesystem,withoutweakeningtheprivacyandcoercion-resistanceofthesystem.Thisauditmechanismcanalsobeemployedinotherhomomorphicencryptionbasedsystemsthatalsoutilizepaperballots.Furthermorewegiveasecurityanalysisoftheproposedsystemthatwebelieveaddsanotherdimensiontotheusual,butinsomecasesinsucient,attackvs.defenseparadigm. 4.2SystemDesignPerspective Ratherthantryingtoimproveontheworkseeninacademia,thefocusofourresearchistobuildasystemascompleteaspossiblethatisbothpractical,readilyimplementablebytheindustry,andthattstherelatedcompanies,governmentagencies,andespeciallyvoters'needsandpreferences.Furthermore,itshouldalsousesthecuttingedgeresearch 46

PAGE 47

donebybothresearchersandcompanies,andtherebyhaveastrongtheoreticalframework.Anotherimportantpointishavinganextensivesecurityanalysis,whichisusuallymissinginmostacademicvotingprotocolproposals.Thefocusontheanalysiswillnotbeonlytoshowwhatsecuritypropertiesaresatised,butalsothepotentialriskofthepropertiesnotsatised,andthepossibletrade-osbetweentheseproperties.Theadditionalsecurityofthe(possiblyredundant)paperballotswillalsobeanotherconsideration. Toaccomplishthiswerstlistthebasicrequirementsandfundamentalprinciplesforvotingsystemsalongwithpreferableattributes.Sincemuchhasbeensaidabouttheseissuesbothintechnical[ 81 82 ]andnon-technicalpapers,ingovernmentandcorporatewhitepapers,andinthemedia,thispartwillalsoincludeanorganizedcompendiumofexistingideas. Afterthat,thepreferencesofalltheinvolvedparties(voters,governmentagencies,andcompanies)willbeexamined,andinlightofthesepreferencesthecurrentlymarketedsystemsaswellasacademicresearchwillbeevaluated.Usingexistingliteratureandoriginalresearch,anewsystem(orpossiblymany)thattsallthepartiesasmuchaspossiblewillbedesigned. Oneimportantissueistheassumptionsmadebyacademicresearchers(sometimesunknowingly),andtheirlackofpracticality.Asitiscommoninthesecurityeld,unfortunately,themostimportantandeasilycircumventedproblemsarenotaddressed,whiletheratherinessentialproblemsareexaminedinexcessivedetail.Addressingtheseproblemsandanalyzingthemisofkeyimportance. 4.3VotingSystemRequirements Astheelectronicvotingeldhasdeveloped,researchersstartedtoformasetofpropertiesthatanyprotocolshouldsatisfy.Althoughthedenitions(andevensomeoftherequirements)mightchangeslightlyfromauthortoauthor,hereisabasiclistthatmostexpertswouldagreeon: 47

PAGE 48

AccuracyorCorrectnessofavotingsystemindicatesthatallvotesarecountedcorrectly-theycannotbealtered,duplicated,orremoved[ 83 ]. ThePrivacyrequirementensuresthateachindividualvotewillbeonlyknowntothevoter.Thevotingmachineisusuallynotincludedforobviousreasons,althoughsomesystemsmanageeventohidethevotefromthevotingmachines. TheFairnesspropertyinsuresthatnopartycanlearntheoutcomeoftheelectionbeforetheballotsaretallied. Uniquenessensuresthatavotercannotvotemorethanonce. IndividualVeriabilitymeansthatthevotercanbeconvincedthathisvoteiscountedcorrectly,whileuniversalveriabilitymeansthatanypartycanconvinceitselfthattheelectionwasfair. ReceiptFreenessisrequiredtopreventcoercionsothatvotebuyingisprevented.Satisfyingthispropertyalongwith(theseeminglycontradictorypropertyof)veriabilityisthecentralchallengeindesigningavotingprotocol. Robustnessensuresthatthevotingprotocolcanrecoverfromvariouserrorsandattacks. Convenienceforthevotersisoftenregardedasanotherrequirement.Tosatisfythisrequirement,avotingsystemshouldnotrequireanyspecialgearandthevotingprocessshouldbeintuitivesothatvotersareabletovoteafterabasicdescriptionorasimpledemonstration. Notethatsomeoftheserequirements-likeconvenienceandrobustness-arenoteasytodeneorquantify,anditissometimesdiculttoassesshowmuchaprotocolsatisesthese.Furthermore,satisfyingeventhekeyrequirementslikeprivacyandaccuracy,canbediculttoprove,whichmakestheeldanespeciallychallengingone. 4.4PreviousWork Thestudyofelectronicvotingprotocolsisoneofthemostactivesubjectsinthecryptographicprotocolsarea.Earlierprotocolsfocusedonprivacyandvoterveriability[ 75 84 { 86 ].WiththeseminalpaperofCrameretal.[ 87 ]receipt-freenesswasintroducedasanimportantrequirement,andsoonafterseveralsolutionswerepublished[ 25 73 77 88 { 92 ]. 48

PAGE 49

BeginningwiththeuseofDRE's,andthepublic'sskepticismoftheircorrectness,paperreceipts(orVVPRs,i.e.,voterveriablepaperreceipts)aspartofindividualoruniversalveriabilitytookthecenterstageasakeyissue[ 47 52 78 ].Recentlymanytechnicalandnon-technicalpapershavediscussedthesecurityofcurrentlyusedvotingdevices,especiallytheuseofpaper-receipts[ 80 81 93 { 99 ]. AnotherdirectionwherevotingprotocolshavegoneoverthelastdecadeisInternetvoting[ 78 83 100 { 102 ],buttherequirementsandpropertiesofthesesystemsareusuallyconsiderablydierentthanthesystemsunderconsideration.Accompanyingtheresearchonelectronicvoting,therearealsoproposalsforvotingsystemsthatuseoldertechnology(likepunch-cards),whichhavesecurityandusabilitypropertiesnotmuchdierentfromelectronicvotingprotocols.Punchscan2andScantegrity[ 103 ],bothbasedonpunch-cardtechnology,aretwoexamplesofsuchsystems. 4.4.1BlindSignatureBasedProtocols Inblindsignaturebasedprotocols,themainideaistouseblindsignaturestogetthevotecertiedwithoutlettingthecertierseethechosencandidate.Afterthatstagethevoteisunblindedandsubmittedfortallying.Usingblindsignaturesmakessatisfyingprivacyrathereasy,howeverhavingatwo-stepprocessmakesithardertopreventcheatingandalsodegradesperformanceinlarge-scaleelections. ThepossibilityofusingblindsignaturestoimplementvotingprotocolswasrstmentionedbyChauminhisseminalpaperdescribingblindsignatures[ 31 104 ].TheworkofFujiokaetal.[ 74 ]isamongtherstproposedvotingprotocols,whichisalsotherstcompletevotingprotocolbasedonblindedsignatures.However,amongotherproblems,ithadaserioussecurityrisks:theelectionauthoritycouldsubmitvotesforabstainingvoters.ThisproblemwaslaterxedbyCranorandCytron[ 85 ].Sakoimprovedpreviousprotocolsbymakingitpossibleforthevoterstoobjecttothetally[ 105 ],and 2http://www.punchscan.org 49

PAGE 50

laterJuangandLeimanagedtoimprovethisideabymakingtheobjectionsanonymous[ 84 ].TheprotocolproposedbyChenetal.[ 100 ]doesnotrequireaspecialvotingchannelandcommunicationscanoccurentirelyoverthecurrentInternet.Okamatoproposedablind-signaturebasedprotocolsupportingreceipt-freeness[ 73 ].Juang,LeiandYuproposeamethodtomakeabstainingpossible[ 106 ],whileagainJuangandLeisuggestamethodtomakeblind-signaturebasedprotocolscollusion-free[ 107 ].Kimetal.combinedblind-signaturesandmix-netstoimplementapracticalsystemforInternetvotingbasedonapublickeyinfrastructure[ 108 ]. Amongtheseprotocol,Sensus[ 85 ]isarepresentativeprotocol,sowegiveadetaileddescriptionofitinthenextsection. 4.4.2Sensus Sensus[ 85 ]isavotingsystembasedonmodules,thekeyonesbeing:theregistrar,thepollster,thevalidator,andthetallier.Theregistrarisresponsibleforregisteringvotersbeforetheelection.Thepollsteractasagentstothevoters,andtheyhelpthevoterswithallcomputationalandinformationalfunctions,likecollectingvoter'sresponsesandobtainingvalidations.Aspollstersrequirecompletetrust,apersonalcopycanbeusedforInternetvoting.Thevalidatorchecksvoterregistrationandensuringthatnovotercastmorethanonevote.Thetallierisresponsibleforcollectingballotsandtallyingtheresults.Italsocheckstheauthenticityofthevalidation. Hereisadetaileddescriptionofallthetransactionsbetweenthesemodules: 1. TheregistrarsendsavoteridenticationnumberIDandasecrettokenTtoallregisteredvoters. 2. Eachvoter(orratherpollster)generatesapublic/privatekeypair(ie,id,in),andsendsthepublickey(ie,in)totheregistrar,alongwiththeiridenticationnumberIDandtokenTactingaspasswordauthenticatingthevoter.Theyalsogenerateaballotsealkeypair(se,sd). 3. Thevalidatorgetsthepairs(ID,ie)forthevalidatedvotersfromtheregistrar,andalsopublisheshispublickey(ve,vn). 4. Thetalliergeneratesapublic/privatekeypair,andpublishesthepublickey(te,tn). 50

PAGE 51

5. Whentheelectionstarts,thepollstergathersthechosencandidatefromthevoter,calculatestheblindedballotdigestb=mkve(modvn)andsubmits(b,ID,bid)sealedwithvetothevalidator. 6. Thevalidatoropensthesealusingvd,andchecksif(bid)ie=bandsignstheballotbysendingbackbvd,ifeverythingchecksout. 7. Thepollsteropensthesealwithid,unblindsbvdbycomputingmvd=bvd=k(modvn)andveriesif(mvd)ve. 8. Ifthevalidationchecksout,thepollstersends(mvd,Vse)sealedwithte,whereVisthevotedballot. 9. Thetallieropensthesealwithtd,veriesthedigestVse=(mvd)ve,signsVsebycalculating(Vse)td.Itthenupdatesthevoterlist(tomarkthatthisvotersballotwassigned)andassignsareceiptnumberRtothenewreceipt(Vse)td,whichhethensendstothepollsteralongwithR. 10. Thepollsterveries((Vse)td)te=Vseandsends(R,sd)tothetallier. 11. ThetallieropensVsewithsdandupdatesthetallyaccordingtothevotedcandidate.Italsomarksthevoteras\voted"inthevoterlist. Asaconcludingremark,notethatthisprotocolsatisesveriabilitybylettingthevoterverifythattheirvoteswerecountedcorrectly.Howeveritdoesnotsatisfyuniversalveriability,i.e.,anyinterestedpartycannotverifyifallvoteswerecountedcorrectly.Alsonotethatthisprotocolisnotreceipt-free,avotercanusetheblindedballot(byopeningtheballotusingthepublickeyofthetallierandsupplyingtheprivateballotkeyse)toprovehowhevoted. 4.4.3Mix-netBasedProtocols Theideabehindusingmix-netsinvotingprotocolsistomakesurethelinkbetweentheinitialencryptedballotsandthenaldecryptedballotsislost,andnosingleentitycanrecoverthelink.Thereasonthisisnecessaryisthattheinitialballotsarelinkabletousers,whichincidentallymakesvotervericationpossible.Thekeypropertyofanymix-netisforeachmixertoprovethattheirmixiscorrect,sothatnomaliciousmixercancorruptorchangethevoteswhilemixing. 51

PAGE 52

Chaum'sgroundbreakingpaperintroducingmix-netsandsuggestingseveralpracticaluses(untraceableemail,digitalpseudonyms,etc.)alsoincludedtheideaofusingthesameconstructforelectronicvoting.Severalresearchersbuiltontheseideas[ 109 { 111 ],whereSakoandKilian[ 111 ]introducedtherstreceipt-freevotingprotocolbasedonmix-nets.FurukawaandSakodesignedanecientmethodforprovingashue-themajoreciencybottleneckforamix-netbasedscheme[ 40 ].Somealternativeschemeswereproposedtoimplementamix-netforuseinvotingprotocols,withdierenteciency,securityandfunctionalitycharacteristics[ 39 112 113 ].JuelsandJakobssoncombinedcoercion-resistancewithuniversalveriability[ 114 ],whileLeeetal.provideamethodthatcanbeusedinmostmix-netbasedvotingprotocolstosupportreceipt-freeness[ 89 ].Recentworkinelectronicvotingkeepsusingmix-nets[ 71 72 ],sometimesincombinationwithhomomorphicencryptionbasedprotocols[ 52 115 ]. Inthenextsectionwegiveashortdescriptionofamix-netbasedvotingprotocol,Pr^etaVoter,whichintroducedseveralnovelideas.Foramoredetaileddescription,seeSection 5.2.2 4.4.4Pr^etaVoter In2004,Chaumproposedoneoftherstvoter-veriableandcoercion-freeelectionprotocolsbasedonvisualcryptography(Votegrity)andmix-netstobeusedwithDREmachines[ 116 ].Thevoterveriablereceiptsarebasedonimages,whichwasonereasonfortheprotocol'squestionablepracticality.Later,Chaum,Ryan,andSchneiderproposedanewversionofthisprotocol[ 71 ],whichisbasedonadierentidea,althoughtheunderlyingmechanicsareverysimilartotheimage-basedprotocol.Chaum'sprotocolusespaperballotformsgeneratedanddistributedinadvance.Teeballotshavetwoseparableparts.Onewhichliststhecandidatesinarandomorderandtheothercontainingbothacolumnforthevotertomarkhischoiceandthe\onion",whichineectisanencryptedindexfortherandomorderofcandidatestherebymakingitpossibletoconstructtheorderinglateron.Thiswayprivacyandsecrecyisachieved.Thepartwiththecandidate 52

PAGE 53

listwillbedestroyedbythevoter(toforestallcoercion,bypreventingthevoterfromprovinghowhevoted)beforefeedingtheotherparttothevotingdevice,therebypreventingthevotingdevicefromeverlearningthevoter'schoice,becausetheorderoftheactualcandidatelistisencrypted.Aspecialtypeofmixmakesitpossibletodecryptthevote,withoutleavingalinktothereceipt,hencemakingtheprotocolcoercion-free.Sincethevotingdevicesneverlearnthevote,ensuringprivacyandpreventingthevotingmachinefrommaliciouslychangingthevotesisgreatlysimplied.Thedrawbackofthisapproachistheneedtoverifytheauthenticityandcorrectnessoftheballots.Italsodoesnotsupportwrite-invotes. InSection 5.2.2 wegiveamoredetaileddescriptionof\Pr^etaVoter",asourworkinthenextchapterisbasedonthisprotocol. 4.4.5HomomorphicEncryptionBasedProtocols Theuseofhomomorphicencryptionmakesitpossibletoaddallencryptedballots{withoutdecryptingthem{andthendecryptingtheresulttogetthetally,thesametallyonewouldgetwithrstdecryptingandthenaddingthevotes.ThisispossiblebecauseinahomomorphicencryptionsystemtheidentityE(A+B)=E(A)+E(B)holds.Thismethodhandlesmostoftheproblemsassociatedwithprivacy,becausethevotesareneverindividuallydecrypted.Italsoreducesoverhead,ascomparedtotheothertypesofprotocolsitrequiresneitherblindingnornecessarilymixing.Votervericationisalsoeasy,sincelikemixnetsthereisnoinherentharmintheencryptedvotesbeinglinkedtovoters.Havingmultipleauthoritiesandusingthresholdschemestodecryptthetally(asisusuallythecase)alsomakessuretheauthoritiescannotmisusetheirpower.However,thesetypesofprotocolshavealsotheirlimits.Forexamplewrite-inballotsareveryhardtosupportduetothenatureofthetallyingprocess. TheconceptofusinghomomorphicencryptionwasintroducedbyJoshBenaloh[ 75 117 ]whoalsoenhancedthemethodbymakingitharderfortheauthoritiestoseeeachindividual'svote[ 118 ].SakoandKillianstartedtheworkonmakingthehomomorphic 53

PAGE 54

encryptionbasedschemesmoreecientthanmix-netbasedschemes[ 119 ],andsoonCramer[ 76 87 ]designedaveryecienthomomorphicencryptionscheme,consideredtherstpracticalsuchprotocol.Baudronetal.furtherimprovedtheeciencyoftheirscheme[ 25 ].TheworkofFouqueetal.andDamgardetal.[ 26 28 ]introducedtheuseofthePaillier[ 18 120 ]cryptosystemtoimproveuponpreviousworkbyincreasingeciencyandmakingmulti-candidateelectionspossible.Hirt[ 77 ]combinedtheprotocolsfromSakoandKillian[ 111 ]andCramer[ 76 ]usingthedesignated-verierproofsofJakobsson[ 121 ]togetanecientandreceipt-freeprotocol,whichstartingearlyinthe2000'swasconsideredarequirementandthefocusofmostworksonthesubject[ 88 91 92 ].Grothshowedhowtouseanecientmix-nettoimproveahomomorphicencryptionbasedscheme[ 115 ].Acquistifocusedonimplementingwrite-inballotsinreceipt-freevotingprotocols[ 78 ]. Thefollowingsectiongivesadescriptionofarepresentativehomomorphicencryptionbasedvotingsystemwithanovelapproachtosupportwrite-inballots.Itdoesnotsupportreceipt-freenesshowever,aproblemwestudyinthenextchapter. 4.4.6TheVector-ballotE-votingApproach ProposedbyKiayiasandYung[ 52 ],themainnewideainthisprotocolisthesupportofwrite-invotes.Tothisendtheauthorsproposeacompositeballot,thesocalled`vectorballot'.Astheexternalrepresentationshouldbeindistinguishablewhicheverpartisusedforavote,awaytoinsureballotvalidityandregularityisrequired.Thisissolvedusing`provablyconsistentvectorballotencodings.'Thetwodierenttypeofvoteswillbetallieddierently,theregularvotesusinghomomorphicencryption(thereforeeciently),andthewrite-invotesbymixnets.Anotherimprovementfrompreviousprotocolsisthenaltallytime,whichisreducedfromO(nc)toO(cn),wherenisthenumberofvotersandcisthenumberofcandidates. Inthisprotocol,eachballothasthreecomponents(hencethetermvector-ballot).Therstparthasapossibleselectionforapre-determinedcandidate.Thesecondpartisaagindicatingwhetherthecandidateforwhomthevotewascastisapre-determined 54

PAGE 55

candidateorawrite-incandidate.Thethirdpartconsistsofthewrite-in.Thepre-determinedportionaretalliedusinghomomorphicencryption,whilethewrite-inpartsaretalliedusingmixnets.Thefourmajorstepsintheprotocolaredescribednext. Setup:ThesauthoritiesA1,...,Assubmittheirpublickeystothebulletinboard.Thesecretkeyissharedbetweentheseauthorities. Casting:Aftergettingauthorized,eachvotercaststheirvote.Eachvoteiseitherforapre-determinedcandidatefromthesetf1,M,M2,...,Mc)]TJ /F4 7.97 Tf 6.59 0 Td[(1g,whereMisanintegerlargerthanthenumberofpossiblevoters,inwhichcasethesecondandthirdpartsoftheballotwillbeencryptionsof0.Ortherstpartisanencryptionfor0,thesecondpartisanencryptionfor1,andthethirdpartanencryptionforthewrite-invote.Thisbasicallymakesthemiddlepartaagindicatingifthecastvoteisforapre-determinedcandidateorwrite-in.SeeSection 2.7.2 fortheproofofconsistencythatonlyonevoteiscast,and[ 52 ]forfurtherdetails. Tallying:Aftersplittingtheballotsintoitsparts,tallyingtherstpartworksliketheotherhomomorphicencryptionbasedschemes,i.e.,theywillallbeaddedandattheenddecryptedtoextracttheresultingtally.Thetallyingofthewrite-invotesisdoneusingamethodcalledshrink-and-mix.Themainideainusingthismethodisthatgivenanykballots,onecancheckifthereareanywrite-invoteswithoutdecryptingtheballots.Thiscanbeaccomplishedbyjustdecryptingthesecondpartsoftheballots.Themethodusesthisfacttorandomlyselectsomeballotsandeliminatethemiftheycontainnowrite-invotes.Repeatingthisprocessmanytimesineectwilldecreasethenumberofballots,henceincreasingeciency,eventhoughnotallnon-write-inballotswillbeeliminated.Theremainingballotswillthenbesubmittedtoamixnet,whichwillactasananonymizermakingsurethelinkbetweentheinitialballotsandnalballotsarelost.Finallythewrite-inballotswillbeopenedandaddedtothetally. Detailsoftheshrinkphase:LetVf1,2,...,ngbetheballotswhichhaveapredeterminedcandidateselected,andV0betheballotswithawrite-incandidate.The 55

PAGE 56

aimofthisphaseistogetanewsetV,suchthatV0Vf1,2,...,ng.Theauthoritiesnowcalculatethenumberofwrite-inballotsh.Theythendividetheballotsintobatchesofbballotseach,wherebisaparameterrelatedtothedesirednalratioofpredeterminedvotesoverwrite-invotes.Foreachbatch,ifitdoesnotcontainawrite-incandidate,alltheballotsinthatbatchareremovedfromV0.AftertherststeptheexpectedsizeofVwillben)]TJ /F1 11.955 Tf 12.67 0 Td[(n(1)]TJ /F4 7.97 Tf 13.86 4.7 Td[(h n)b.Notethattocheckifthebatchcontainsawrite-invote,theauthoritiescanaddallthe`ag'partsandgetthesumoftheseusingthehomomorphicencryptionproperty.Recallthatthisagiszeroifapredeterminedcandidateischosenandoneifawrite-incandidateischosen.Sothissumwillbezeroonlyifnoneoftheballotsusedawrite-incandidate.Thissamemethodwillalsobeusedtogetthenumberofwrite-invotescastthatwillbeusedincalculatinghaspreviouslystated. Detailsofthemixphase:Accordingtotheauthors,themixphasecanuseanyofthepublishedrobustmixtechniques.Themoststraightforwardoneisgivenasre-encryptingthesequenceandpermutingitrandomlyandthengivingazeroknowledgeproof. Thepaperalsogivesanalternativewayofformingtheballot,whichismoreecientforlargenumberofvotersandcandidates.Theideaistousecpartsforthepre-determinedcandidates,ratherthanone.Thisdecreasestherequiredcapacityconsiderably. 4.4.7MercuriMethod Theso-calledMercuriMethod[ 2 ]isasimplebuteectiveconcept,implementedinslightlydierentways(possiblywithvariousimprovements/changes)bysomecompanies.Theideaisthatapartfromthesimple`selectyourcandidateonthecomputerscreen'processfollowedbytheresultsbeingsenttoacentralserverorstoredlocally,whichmightbelackingeventhemostbasicsecuritypropertiesthatsomeproposedprotocolssatisfy,apaperballotofthesaidcandidateisalsoprinted.Afterthevoter'sinspectionandconrmation,itisdroppedintotheballotboxtowhichthevoterhasnoseparate 56

PAGE 57

access.Thispaperballot,whichlookssimilartoaconventionalpaperballot,isstoredforapossiblerecount.Inaway,thesystemtriestoimprovecorrectnessbyensuringthecorrectnessofthebackupvote. 4.4.8MajorIssuesWithSystemsBasedontheMercuriMethod TherearesomepotentialproblemswhenonedecidestousetheMercurimethod.SomeoftheseissuesareuniquetoprotocolsbasedontheMercurimethod,whileothersarecommonproblemstomostelectronicvotingprotocols,thattheMercurimethodbyitselfdoesnotaddress.Whilenoneoftheseissuesarestrictlyunsolvable,somearemorediculttohandlethanothers,eitherintrinsicallyorbecausetryingtosolvethemusuallycauseotherproblems.Themajorissuesareasfollows: Consistency:WhenusingtheMercurimethod,thereareactuallytwoseparatevotescast.Ofcoursethesystemdescriptionswillnecessarilyindicatethatthosetwovoteswillalwaysbethesame,howeverbothdesigningandimplementingthisrequirementandconvincingthepublicthatthiswillalwaysbethecaseisaproblemthatneedstobeaddressed.Thelikelihoodofthisproblemmanifestingitselfiscloselyrelatedtothelawsandrulesoftheelection.Sincevoterswillhavevisuallyreviewedthepaperballots,thosewillbethetrustworthyones.Butifthesepaperballotsareonlytobeusedonpossiblerecounts,theirpositiveeecttothereliabilityoftheelectionwillbediminished,especiallyindistrictswheregettingarulingforarecountisrelativelydicult.Thisproblemcantriviallybesolvedbyhavingthepaperballotsbeassignedtheroleoftherealvotes-ratherthanjustabackup.Howeverinthatcasetheelectronictallywillactmerelyasanunocialexitpoll-albeitonewithaveryhighaccuracy.Thishoweverreducestheusefulnessofanelectronicvotingscheme,solookingforabetteralternativeisinevitable.Onealternativeistoensurecorrectnessseparately,forexamplebyusingcryptographictechniquessimilartooneswithoutpaperballots.Anotherdirectionistoreducethepotentialinconsistencybetweentheelectronicandthepaperballot,forinstancebyhavingatableofallthepaperballotvotesindexedbytheirid's,andthenrandomlychecka 57

PAGE 58

predeterminedamountoftheballotstherebytestingifaninconsistencyhasoccurredwithacalculableprobability.Thisofcoursewillneedtobedesignedcarefully,astheid'smightbeusedforcoercionbylinkingthepaperandelectronicballots.Thisisthedirectionwearetakinginourprotocol. CoercionResistance:Thisproblemmightpresentitselfifitispossibletouseapictureofthepaperballotasaproof.Italldependsonwhatthesystemdoesifattheconrmation(ofthepaperballotphase)thevoterwantstochangehisvote(eitherbecausetherewasanerror,orbecauseofthevoterchanginghismind).Ifthisprocessiseasilyrecognizablebyanoutsider,thepictureoftheballotatthenalconrmationphasecanbeusedforvotebuying.Asthisproblemcanonlybesolvedattheimplementationphase{ordiminishedusingeectiveelectionprocedures{wewillnotgointoanydetails. Privacy:Unliketraditionalvoting,anyelectronicsystemthatreliesontheDREtorecord/submitthevotehastoconsiderprivacyissuescarefully.Chaum'sprotocol[ 71 ]circumventsthisproblembynotdisclosingthevotetotheDRE,butalmostallotherpublishedsystemsareatleastsomewhatsusceptibletovoterecordingandmatchingthemwithvoters. Therearesomesimpleprocedurestoreducethepossibilityofthisbydesigningthevotingprocedurescarefully.Incasetherearemultiplebooths(whichisthecaseinmostdistricts),ifthepubliccannotseewhichvotergoesintowhichbooth,theprobabilityofasuccessfulmatchingofvotesandvotersdiminishesradically.EvenifallDRE'saremalicious,acondentmatchmightbetoohard.OfcoursethisalsodependsonhowthevoteractuallypresentshimselfasaqualiedvotertotheDRE,i.e.,iftheauthenticationorauthorizationusedattheDREcanbelinkedtothevotersidentity. Somewaysthatprivateinformationcanbesavedandlateronretrievedare:byusingtheavailablestorageandthenmakenetworkconnections,byusingbackdoors,subliminalchannels(hidingthestoleninformationinsideregulartransmissions,encodedusingtechniquessimilartotheonesusedinsteganography),orsimilartechniques. 58

PAGE 59

4.4.9OtherProtocols Blindsignatures,homomorphicencryptionandmixnetbasedprotocolsarethethreemaintypesofdesignchoices,howevertherearealsosomeprotocolsthatcannotbeclassiedasanyofthesetypes.Theseusuallyhavesomeradicallydierentdesign.Herewepresentsomeofthembrieyhere. 4.4.9.1Threeballot TheThreeBallotvotingsystem[ 122 ]isaprotocolrecentlyproposedbyRonaldRivest.Itsnovelpropertyisthatitdoesnotusecryptographictoolstoachievemostoftheusualpropertiesthatareaimedinvotingprotocols.Howeverithassomelimitations,particularlythesecurityissue(avotebuyingattack)notedbytheauthor. Thesystemisbasedonpunchcardsorsimilartechnology.Theideaistohavethreeseparateballots,onerowforeachcandidate-whicharealigned.Tovoteforacandidateonemarkstwoofthecolumns,andtovoteagainstacandidateonemarksonlyonecolumn.Allrowsmusthaveexactlyoneortwocolumnsmarked. Afterthevotermarkshischoice,theballotisfedtoachecker,whichalsoputsaredstripeonthechosencandidate.Thethreepartsoftheballotsareallused(separately)tocastavote.Thevoteralsogetshischoiceofballot(oneofthethree)reprintedasareceipt-whichcanbeusedforverication. Attheendoftheelectionallvoteswillbepostedinplaintextformattothebulletinboard.Sinceeachchosencandidatewillgettwovotesandallothersonlyone,subtractingthenumberofvotersfromallthecandidateswillgivetheresultoftheelection. Theaforementionedvotebuyingattackworksthus:Thecoercertellsthevotertomarktheballotinaspeciedpattern.Thiswayevenifthereceipthastherequiredpattern,ifthecoercercannotseetheothertwopatternsinthepublicboard,hewillknowthatthevoterdidnotvoteaccordingtoplan. 59

PAGE 60

4.4.9.2Punchscan AnotherelectionprotocolthatusessimilarideasisPunchscan[ 123 124 ].ThenovelapproachofthisprotocolisthatitdoesnotneedaDREforeachpollingbooth,astheballotsarecastbythevoterinaboothonpaper,whicharescannedoutsidetheboothbyelectionauthoritiespublicly,whilestillprotectingprivacy.Integrationofwrite-invotestotheprotocolisalsopossible[ 125 ]. PunchscanisavotingsysteminventedbyDavidChaumandlaterdevelopedbyUniversityofMarylandandGeorgetownUniversityresearchers.LiketheThreeBallot[ 122 ]system,itisbasedonpunch-cardtechnology,however,unlikeThreeBallot,itusescryptographictechniques.Inaway,itisatransformedversionofChaum'svisualcryptographyprotocol. 4.4.10PossibleReasonsforNotAdoptingAdvancedCryptographicSchemes Althoughsomecommercialsystemsexhibitsignsofadvancedcryptographictoolsintheirdesign,mostsystemsseemtolacksimilardevices.Herewetrytoenumeratethepossiblereasonsforthis. Practicality.Advancedcryptographicschemesnecessitatessettingupacomplicatedanddistributedmix-net.(Mostmoderncryptographicvotingprotocolsusemixnetforsomereasonorother.)Thesearegenerallyusedtoshuetheballotssothatanylinksbetweentheresultingvotesandthevotersarelost.Thequestionablepartofthismethodisthat(unlesstheDREdoesnotknowthevoteitself{likeinChaum'sprotocol),itisstillverydiculttoprotecttheprivacyiftheDREitselfiscompromised.Inshort,thesemethodsarenotstrengtheningtheweakestlink,noraretheyprotectingthemostimportantpropertyofasuccessfulelection:itscorrectness. EaseofUse.Theusualcut-andpasteschemesorChaum'suseofencryptedballotsusuallyresultinrathercomplicatedinterfaces,oratleasttheymakeitverydiculttodesignclearandeasytouseones.Thisiscontrarytooneofthemainideasofusingelectronicsystems,whichistosimplifytheprocessforthevoters. 60

PAGE 61

Trust.Withtrustwemeanthebeliefthatpaperballotsaresucientasverication.Peopletrustthevalidityofaballottheycanunderstand,morethanatechnicallysoundcryptographicreceiptwhichhasconfusingnumbers/lettersonit.Itisimportantnotonlytohaveasecureelection,butalsotohaveanelectionwhichpeoplebelievetobesecure. Itisourviewthatunlesssome(orrathermost)oftheseissuesarenotresolved,thecommercialsystemwillfavorsystemsthatarelessadvancedyetsatisfactorilyhandletheaforementionedproblems.Thereisboundtobeatrade-obetween,say,easeofuseandsecurity,howeverhavingatleastanadequatesolutiontobothsidesshouldbepossible. 4.5OurContribution:Homomorphic-MercuriHybridVotingSystem Ourproposedprotocolisacombinationofclassichomomorphicencryptionschemes,andtheMercurimethod.UnlikethePr^etaVoterprotocol,thevotingdevicewillknowthechosencandidate,buttopreventcheatingthecut-and-pastemethod(whichwillbeexplainedlater)willbeused.Ontheotherhand,becauseoffullyusingthevotingdevicetoenterthevotetherewillnotbeaneedforpaperballots.However,inpracticeanadditionalburden(fortothevoter)wouldbetheneedtoselectthepreferredcandidatefromagrid(stemmingfromthecut-and-chosemethod).Thismightbeconfusingforsomeusers,butevenverysimpleinitialinstructionsshouldmakeiteasytousefortheaveragevoter.Theadvantagewouldbetheextracertaintythattheelectronicvotecountedasintended. Inbasicterms,thewayourauditmechanismworksisbylinkingthepaperandelectronicballotscryptographically.Thiswillbedoneusingthere-encryptionpropertyofPaillier.Oncetheauditsampleisselected,thevotingdevicewillneedtopublishtheoriginalencryptedvotesoftheselectedpaper-ballots.Itwillalsoprovethatthesetwosetsareinfactthesamesetofballots.Theauditorsthenwillcheckallthetallies,andcomparethemtomakesurethatthetalliesoftheoriginalencryptions,there-encryptionsandthepaper-ballotsareallequal. 61

PAGE 62

ApartfromcombiningtheMercurimethodwithahomomorphicencryptionbasedprotocol,inthenextchapterwealsodemonstrateagenericmethodforsupportingwrite-inballots. 4.5.1ProtocolSpecication Inthissectionwegiveadetailedspecicationofourprotocol.Wedescribetheparticipants,thevotingandtallyingstages,andtheauditingprocess. 4.5.1.1Participants Theentitiesthatareinvolvedintheprotocolareasfollows.Figure 4-1 showsagraphicalrepresentation. Authority:TheauthorityAwillberesponsibleforcalculatingandannouncingthenaltally. VotingDevice:TheVotingDeviceVDgetsthevotesfromthevotersandsubmitsthemtothebulletinboardBB.VDusesacomputerscreenStodisplayinformation(D)tothevoter.Italsousesaprintertoprintareceipt(R)forthatpurpose.ThedierenceoftheseisthefactthatDwillremainsecretbetweenthevoterandthevotingdevice,whereasRwillbetakenoutsidetheboothbythevoter.Finallyitwillalsoprintthepaperballotanddeposititintotheballotbox.Notethedierencebetweenthepaperballotandthepaperreceipt:ThepaperballotwillnotbeaccessiblebyV. Voter:TheVoterVusesVDtosubmitavoteforhisselectedcandidate. BulletinBoard:TheBulletinBoardBBiswheretheVDsubmitsthevotes.Itispubliclyreadable,andwrite-onlyfortheVD.Awillreadthevotesfromhere.NotethatallcommunicationwiththeBBwillbesignedwiththesendersprivatekey. Coercer:TheCoercerCisahypotheticalparticipant.Hecanbeanyoftheotherparticipantsorbeincollusionwithone. Itisassumedthattheauthoritieshavegeneratedtheirencryptionkeys,thebulletinboardisset-upandthatthevotersareregisteredandreadytoauthenticatethemselvesrightbeforetheyvote. 62

PAGE 63

Figure4-1. Participantsofthevotingprotocol 4.5.1.2Voting Thisphaseoccursinsidethevotingbooth,soitisassumedthatthereisaprivateandsecurechannelbetweenVandVD.TheonlyinformationthatwillberevealedtoanoutsidepartyisthevotesubmittedtotheBBbyVD,andthereceiptRprintedbyVD. 1. VDdisplaysandmatrix(seeFigure 4-2 ),wheredisasecurityparameter(wherealargedincreasessecuritybutmightlowerusability),andn)]TJ /F1 11.955 Tf 12.82 0 Td[(1isthenumberofcandidates(whereabstainingisconsideredthenthcandidate).Eachrowinthismatrixconsistofthesecandidatesinarandomorder.Beforesubmittingthevote,ifthevoterrequests,VDgeneratesanothergridwiththesameproperties.Thispreventsaforced-abstentionattack[ 114 ]{i.e.,preventstheCoercertoaskthevotertovoteforaspecicrowandcolumntherebyeectivelyrandomizinghisvote.Notethatthisattackwasnotmentionedin[ 126 ]. 63

PAGE 64

Figure4-2. Candidateselectionscreen 2. VDnowgeneratesrandomnumbersrndandprintscommitmentsc(x,y)(Section 4.5.1.4 )foreachcellinthematrix,toensurethattheVDcannotchangethecontentofacellinthecandidatematrix.ThesecommitmentsessentiallyfollowthesamelinesasForsythe'sprotocol[ 126 ],andinsurewithd)]TJ /F4 7.97 Tf 6.59 0 Td[(1 dprobabilitythatthevotewillbecastasintended(orratherd)]TJ /F4 7.97 Tf 6.59 0 Td[(1 dprobabilitythatthecheatingVDwillbedetected.)ThesecommitmentsarealsosenttoBB,wheretheywillbepubliclyveriable. 3. Vrstrandomlyselectsarow,andthensubmitshischosenrowandcolumn(andtherebycandidate).VDprintsthepaperballot,andaddsarandomizedre-encryptionofthesamevotebymultiplyingc(x,y)withanewrandomnumberr0x,y.Thisre-encryptionwillbeusedforauditingpurposes.VDthenwaitsforaconrmation.Vinspectsthepaperballot,andiftheballotshowshischosencandidateconrmsthe 64

PAGE 65

ballots.AftertheconrmationfromV,VDdepositsthepaperballotintotheballotbox. 4. VDthenopensthecommitments(Section 4.5.1.4 )forunchosenrowsbyprintingtherandomorderofthecandidatesalongwiththerandomnumbersusedforthecommitment(andencryption)onthepaperreceipt.Italsoprintsthelocationoftheselectedcell(therowandcolumnnumbers),butnotthenameofthecandidateinthatcell.VDnallyaddsasignatureofthecontentofthereceiptattheendofthereceipt,toinsuretheauthenticityofthereceipt.ThesamedataisalsosenttoBB. 5. Finally,VDsendstheencryptedvotec(x,y)forthechosencell(x,y)totheBBfortallyingpurposes.Atthisstage,VDalsosubmitsaproofofwell-formednessofthevote,byprovingthattheencryptionisforastringinthesetofcvalidvotesusingazero-knowledgeproof(thisstepisalsonotincludedin[ 126 ]).SeeSection 2.7.1 forthedetailsofthisprocess.Nowthec(x,y)canbecomparedtothereceiptontheBBandcheckedforwell-formedness,socheatingatthisstepisnotpossible. 6. Attheendofthevotingsession,VDsendsthelistofthere-encryptedvotestotheBB.Italsoaddsazero-knowledgeproofthatshowsthesumofthesevotesandthesumoftheprimaryvotesareequal,i.e.,theproductofbothsetsofencryptionsareequal.ThedetailsforthisisgiveninSection 4.5.1.5 4.5.1.3Samplevotingwalk-through Hereisasamplewalk-throughforanelectionwiththreecandidates:A,B,C,andwithsecurityparameterd=3.Weomitanypossibleabstainingvotes. 1. Table 4-1 showsasampleballotgeneratedbytheDRE: Table4-1. Sampleballot A C BC A BB A C 2. Foreachcell,theDREcalculatesc(x,y),asdetailedinSection 4.5.1.4 .Thesecommitmentsarethenprintedontherstpartofthereceipt. 3. Thevoternowselectsarandomrow,thesecondrowforexample,andonthatrowselectshiscandidate,A.Ontheselectedrow,thecandidatehappenstobeinthesecondcolumn,sothechosencandidateisoncell(2,2). 4. TheVDopensthecommitmentsoftheremainingrows.Thisisdonebyprintingthesalt(randomnumbersri,j)usedfortheencryptiononthesecondpartofthereceipt.Fortheselectedrow,ratherthanprintingtherandomnumbersri,j,itprints\2", 65

PAGE 66

representingthesecondcolumnofthechosenrow.Nosaltisprintedforthisrow,asthatwouldmakeitpossibletoopentheencryptedvote.Table 4-2 showshowthesamplereceipt(withbothpartoneandparttwoprinted)wouldlooklike. Table4-2. Samplereceipt c(1,1)c(1,2)c(1,3) c(2,1)c(2,2)c(2,3) c(3,1)c(3,2)c(3,3) A,1A0C782BC,23498DF2B,9823B08A rstrowcandidateorderandr1,i2 selectedcandidateB,B3296A92A,87C98A9FC,98F89DC1 thirdrowcandidateorderandr3,i 5. TheVDnowprintsthepaperballotandwaitsforthevoter'sinspection.Thevoterchecksifeverythingiscorrect,(bothonthereceiptandonthepaperballot),andgivesthenalconrmation.Hetakesthereceipt,makessurethepaperballotisdepositedintotheballotbox,andleavesthebooth. 6. Outsidethevotingboothoraftergettinghome,thevotercanusethereceipttocheckifthesubmissiontotheBBiscorrect.Thisisdonebycomparingtheprintedvaluestotheonessubmittedandbycheckingthatthecorrectrowandcolumnofthecandidatetableisspecied,thusmakingsurethathiselectronicvotewassubmittedandwillbecountedcorrectly.Thevoter(oranybody)canalsocheckifthecommitmentsareinfactopenedcorrectly,whichwillpersuadehimthathisvotewassubmittedcorrectly. 4.5.1.4Detailsofthecommitmentsandencryptions TheprotocolusesPaillierencryptionforthevotesandcommitments.Letn=pqandg2Zn2withordernforsomenon-zero.Lettherebekcandidatesandatmosthvoters.Weassigntoeachcandidateanumber0i
PAGE 67

4.5.1.5Proofofequalityofproductofsubmittedvotesandproductofrandomizedvotes VDusesthisschemetoprovethattherandomizedvotesaddedtothepaperballotssumtothesametallyastheonessubmittedtotheBBastheprimaryvotes.Thisisneededfortheauditmechanism(explainedlater)towork.Thezero-knowledgeproofpresentedhereisanon-interactiveversion(constructedusingtheFiat-Shamirheuristic[ 49 ])oftheproofgivenbyBaudronetal.[ 25 ].Weassumethatthevotessumtom.VDpicksarandomrandarandoms2Znandcomputesu=grsn(modn2).HethencalculatesH(u),whereHisasecureone-wayhashfunction.Hethencomputesz=r+meandv=sre(modN).(u,v)thenconstituteazero-knowledgeproof,andthiscanbecheckedbygzvN=uce(modN2). 4.5.1.6Tallying OncealltheballotsarecastandsubmittedtotheBB,Awilltakethepre-listedcandidatepartandaddalltheencryptedballotsanddecrypttheresult-addingproofsofcorrectnessofthedecryptions(detailsgiveninSection 4.5.1.7 ),therebygettingthenalcount.Notethatthisisdierentthantheusualhomomorphicencryptionbasedvotingscheme,whereusuallythereisamixingphase.Thereasonforthemixingphaseissothatnosingleauthoritycanreconstructthelinkbetweentheencryptedanddecryptedballots.Butinourcasethatwouldnotaccomplishanything,astheVDalreadyknowstheballots.Additionally,thepaperballotswillalsohaveallthevotes,andcanbeusedforapossiblerecount. 4.5.1.7Proofofcorrectnessofthedecryptions Awilltakeallvotesci=gmirni(modn2)andaddthemallbycalculatingc=gmi(ri)n(modn2).ThisisdecryptedtoR,andazero-knowledgeproofisadded,usingthesetmembershipproofgiveninSection 2.7 .Togetthenumberofvotesforcandidatei,wejustcalculate(R=hi)(modh),where`='representsintegerdivision-asRisjustak-arynumber,K=mk)]TJ /F4 7.97 Tf 6.58 0 Td[(1,...,m0. 67

PAGE 68

4.5.1.8Auditing Ourprotocolresultsinbothapaperandelectronicballot,wherethepapersballotsare(atleastintheory)assumedtobeforrecountsonly,andtheelectronicvotesareconsideredtheprimaryballots.Buthavingthepaperballotsonlyforrecountswouldnotbeanecientwayofusingalltheadditionaloverheadintroducedbythem.Anotherusefulwaytheseballotscanbeusedareforauditorypurposes.Unfortunately,justhavingthepaperandtheelectronicballotslinkedinastraightforwardmannerisdangeroustotheprivacyofthevoters,astheelectronicvoteitself(inencryptedform)isalreadylinkedwiththevoter.Sincetheunencryptedvotewillbeanonymizedduringthemixingphase,theencryptedvotewillneedtobeusedforthispurpose.(Technicallythelinkcanstillbeestablishedwithalltheauthorities'agreement,butthiswouldbeveryinecientandwouldalsocontradicttheassumedsecuritypropertiesofthemixitself). Oursolutiontothisproblemistoaddarandomizedversionoftheencryptedballottothepaperballot.TheVDswillhavepostedtherandomizedvotesandproventhattheyadduptothesametallyastheoriginalones.Followingisadescriptionofhowthisauditmechanismworks.Forauditing,somenumberofpaperballotswillberandomlyselected(seetheworkbyRivest[ 127 ]forasimplemethod3).TheVDwillrstpostthelistoftheoriginalballots,inarandomordertopreventmatchingthelistsballotbyballot.VDwillalsoprovethatthelistisinfactthecorrectlist,i.e.,theyaretheelectroniccounterpartsofthepaperballots.Then,separately,boththeoriginalandthere-encryptedvotes(ontherandomlyselectedpaperballots)willbesummedusingthehomeomorphismpropertyandthetallyandtherandomnesswillberevealedbytheVD.Theresultswillbecomparedwiththecountsofthechosenballots(usingtheplaintextvotes)toseeifthereisanydiscrepancy. 3Foranextensivebibliographyofelectionauditingsee[ 128 ] 68

PAGE 69

Themaindierencebetweenthissystemandusingabasic`id'basedmethodisthis:Inthebasicmethod,togettheinformationofthechosencandidatebyavoterthecoercerwouldneedtosatisfythefollowing: 1. Thecoercerneedstobeabletorecord(orhaveaccessto)theidofthepaperballot(eitherbytheparticularpaperballotbeingselectedfortheauditorbysomeothermeans) 2. Thecoercerneedstobeabletorecord(orhaveaccessto)theidofthevoter'sreceipt. Theseconditemisusuallyassumedtoberelativelyeasytodo,howeverinthiscasetherstitemisnotverydiculteither,atleastifthevoteisselectedforauditing.Tocompare,inourscheme,inadditiontothetwoitemslistedabovethecoerceralsoneedstohaveaccesstotherandomnumbergeneratedbytheDRE.ThisisonlypossibleiftheDREisalsocompromised.Thisaloneshouldbeasaferguardthanthecombinedsafetyoftwoitemslistedabove. 4.5.1.9Auditmechanismdetails AssumethattheVDhassubmittedmencryptedvotesci=gmirni(modn2).Italsowillhavere-encryptedthesevotesasc0i=gmi(riqi)n.AssumeasetA,withsizekisselectedforaudit.Thenforeachc0i,theVDwillrstpublishR=Qi2Arialongwiththelistofcifori2Ainarandomorder.TheVDwillalsopublishQ=Qi2Aqi.Theauditorswillnowhavetocheckthreethings: 1. Thatthepublishedlistofci'sisthecorrectmappingtotheselectedpaperballotsformingthesetA. 2. Thattheqi'sarereallytherandomnumbersusedforthere-encryptionoftheci's. 3. Thatthetalliesoftheencryptedvotes,there-encryptedvotesandtheplaintextvotesonthepaperballotsallagree. Forthersttwoitems,considerthetwodierentwaystheVDmighttrytocheat.Firstofall,itmighthavedonethere-encryptionincorrectly,i.e.,changingthevotethatwasform1tom2bybasicallyjustencryptingm2.Buttodothatandstillpasstheaudit, 69

PAGE 70

evenifalltheothervotesarecorrectlyformed,itwillneedtondarandomnumberqsuchthatmultiplyinggm1r1nbyqnshouldgivegm2r2n.Thatmeansthatqn=gm2)]TJ /F4 7.97 Tf 6.59 0 Td[(m1(r2 r1)n,henceq=(m2)]TJ /F1 11.955 Tf 12.06 0 Td[(m1)logngr2 r1.SotheVDwillneedtondthediscretelogarithmofgbasen(bothpartsoftheauthoritiespublickey),whichisassumedtobeinfeasible. Alternatively,theVDmightsubmitthelistoftheoriginalvotesincorrectly,usingasetwiththesametallyasA.InthatcasehoweverthecheatingVDwillhavethesameproblem.Nowratherthanthec0i's,theci'sarewrong,butthewaytocheatisstillndingtheqthatcanbeusedtohidethefactthatthere-encryptionsarenotconsistent.Hence,thisattackisalsoinfeasible. Tocheckagainstthesepossibilities,theauditorsonlyneedtoconrmthatQciqni=Qc0i(modn2)Afterinsuringthatthersttwopossiblewaystocheatareinfeasible,theauditorsonlyneedtocheckthethirdpart,whichisstraightforwardfortheauditors.Theplaintexttallympisconvertedtotheelectronictallyformat(usingthe1,M,M2,...,Mnscale)andgmpRn(modn2)iscalculatedandcomparedtoQi2Aci(modn2)andQi2Ac0i(modn2).Ifthesethreeareallequal,theauditorscanbeconvincedthatthetalliesareallequalastheyshouldbe. Toanalyzethesecurityofthissystem,notethatapartfromthelistofci'sonlytherandomnumbersusedforre-encryptionaregiven.SofortheoriginalencryptedvotesonlyRisgivenoutthatwasnotalreadypublished.Butasthisistheproductofkrandomnumbers,andwithouttheknowledgeofk)]TJ /F1 11.955 Tf 12.61 0 Td[(1ofthem,itcannotbeusedforanycryptanalysis.Theothermainconcern,whichneedstobeaddressed,isthefactthatthecountofthepartialtallywillbeknownaswellastheencryptedballotsthatareintheauditset.Soanyonethatisabletolinktheencryptedvotetoitsvoter(whichisonlypossiblebyusingthereceiptofthevoterassumingtheVDhasnoleaks,andthereforealsoimpliespotentialdeniabilityifthelinkisuncovered),mightgetsomeinformationfromthepartialtally.Butthisshouldnotbeaconcernaslongasasucientlylargesampleisusedforauditing. 70

PAGE 71

4.5.1.10Securityimprovement Althoughtheprotocolpreventscoercionbylettingthevoterselectarowandcolumn,inpracticetheissueissomewhatmorecomplicated.Theproblem,mentionedpreviously[ 126 ]withoutasatisfyingsolution,isthatitwouldbedicultforthevotertomakesuretheVDdoesnotchangeanyentryinthematrix-astherearendentries,therebypreventingbeingcaughtcheating.Toresolvethisdefect,theimplementationcanbechangedsuchthatratherthanselectingthechosenrow,thevoterselects(orratherdeselects)anotheroneoftheremainingrowsrepeatedlyuntilthechosenrowisleft.Thiswayheonlyneedstoobserveneldsratherthannd,whichwouldmakeitverydicultfortheVDtocheat. 4.5.1.11Usingvotingdevicesandpaperballotprintersfromtwodierentsuppliers AsafurthermeasureofpreventingtheDREofcheating,anotherdeploymentimprovementwouldbetohavetheelectronicballotpartofthevotingmachineandthepaperballotpartbesuppliedbyseparatevendorsorsources,afterdesigningastandardcommunicationprotocolbetweenthosetwoparts.Thiswillmakeitmuchmorediculttolaunchasuccessfulattackonthevotingsystem. 4.5.2Comparison Hereisalistofthemostimportantdierencesbetweenourprotocolandtwoothervotingsystems.TherstoneisPr^etaVoter,brieydescribedinSection 4.4.4 ,withamoredetailedexplanationinSection 5.2.2 ThesecondoneisthegenericsystembasedontheMercurimethod,assumedtohaveonlythebasicpropertiesasitisnotbasedonaspecicprotocol,becauseofthelackofdetailsofcommercialsystems. 4.5.2.1ComparisonwithPr^etaVoter ThemaindierencesbetweenPr^etaVoterandourprotocolare: Ourprotocolleavesapaperaudit-trail,thankstotheMercurimethod.Soinourschemevotescanberecounted. 71

PAGE 72

Thepaperaudit-trailalsoenhancessecuritybyactingasasecondaryandmoretrustworthyalternativetally,whichinturnpromotestrustinthesystem. Thecandidatelistwillbetakenfromthevoter,soitcannotbekeptandpotentiallyusedforvotebuying,etc.ThedesignissuchthateveniftheDREreadsthelist(sinceitwillhavethehardwarenecessaryforit-tobeusedforreadingthebarcode),thecryptographiccommitments(i.e.,almosteverythingthatwillbesubmittedtotheserver)willalreadybeprinted,aswillbethepapervoteitself,practicallymakinganymalicioususeimpossible. 4.5.2.2ComparisonwiththeMercurimethod Thesecurityoftheproposedsystemismoreadvancedinallaspects,asitincludesallsecuritymeasuresandaddssomemoretotheset.Thesemostlyincludegreatlyimprovedprivacy,votervericationoftheelectronicvote,andenhancedcorrectness.Wealsohavepaperballotsandelectronicballotslinked,whichincreasestheelectronicvote'sreliabilityaswellashelppinpointthecauseofanydiscrepancy-ifitexists-duringtheauditphase. 4.6SecurityAnalysisMethodologies Mostvotingsystemprotocolproposalareaccompaniedbysecurityanalyses.However,theamountofdetailandthoroughnessusuallyvarieswildly.Furthermore,thereisnoagreedonsystematicwayofdoingtheseanalyses,sothemethodologiesarealsousuallydierent.Inthissectionwegiveabriefliteraturereviewonthemethodologiesandtechniquesusedforanalyzingthesecurityofvotingprotocols. Kelsey[ 129 ]discussesthesecurityissuesofvotingsystems.Theauthorslistthreemainissues:corruptmachines,compromisablemachines,corruptiblecommunications.Theyalsolistpossiblegoalsfortheattackers:electionfraud,disruption,discrediting,privacyviolation(furtherseparatedasvoluntaryorinvoluntary).Furthermore,theyclassifythedicultyofattacksintermsofresourcesused(money,skills,risktolerance,andinsideraccess)andconspiracyrequired(sizeanddiversity). Jones[ 130 ]concentratesonbuildingataxonomyforvotingsystemthreats,andsuggestbuildingacatalogofthreats.Theirclassicationstartsbyaddressingthephaseof 72

PAGE 73

theelectionthatisbeingmanipulated,andtheygivethefollowinglist,whichislateronexpanded. 1. Registration 2. Pollingplaceaccess 3. Votermanipulation 4. Ballotmanipulation 5. Threatstotheballottabulationprocessitself 6. Threatstotheresultsofthetabulationprocess Theauthorsthencontinuetosecondaryindices,therstbeingwhattechnologyisvulnerable,anotheronebeingthescaleoftheattacksandyetanotheriswhocarriesouttheattack.Inthislasttypeofclassication,theauthorsgivethefollowinglist: 1. IndividualVoters 2. OutsideAttackers 3. Pollingplaceworkersorothersta 4. Permanentemployeesattheelectionoce 5. ElectionOcials 6. EquipmentVendors 7. PolicyMakers Theauthorsalsomakeseveralotherimportantobservations,wheretheysuggestevaluatingthelikelihoodofattacksandthecost-eectivenessofdefensesagainstthem.Theyalsopointtothefactthatevaluatingthevotingsystemstandards,votinglaws,andadministrativerulesgoverningtheelectioncannotbeseparatedfromathreatanalysis. Severalresearchersstudiedtheauditingaspectofelections.Aslametal.[ 131 ]giveasimplestatisticalframeworkforauditingtechniquesandcalculatingthesizeofanaudittosatisfyagivencondenceinterval,whereasNe[ 80 ]comparestheeciencyofdierentauditingmechanisms. Anotherissuewithmanypublicationsisthelawandstandardsaspectofvoting,wheretheprosandconsofpapervotingvs.electronicvotingarealsodiscussed.InthisrespectJones'testimonybeforetheU.S.HouseofRepresentatives[ 132 ]wasadetailed 73

PAGE 74

overviewoftheproblemswithvotingsystemstandards.McgaleyandMccarthy[ 133 ]discussestheprosandconsofelectronicvotingcomparedtotraditionalpaperbasedvoting,withafocusonvotinginIreland. Finally,severalpapersanalyzethesecuritypropertiesofsomespecicvotingprotocol,usuallywithdierentmethodsanddierentfocuscharacteristics.Kohnoetal.[ 134 ]presentsasecurityanalysisofthevotingsystemusedbyDiebold,concludingthatthesystemisunsuitableforuseingeneralelectionsandsuggestingvotingsystemhave`voter-veriableaudittrails'.Kelleretal.[ 135 ]analysestheprivacypropertiesoftheOpenVotingConsortium'sopensourcevotingsystem.Dasetal.[ 136 ]givesasecurityanalysisoftheeVACSopensourcevotingsystemusedinanelectronicvotingtrialinAustralia.Varner[ 137 ]developsatechniqueforconductingsecurityanalysisofInternetvotingsystemsandpresentsathoroughanalysisofthevotingsystem`VoteHere,'whichisarguablythemostthoroughvotingsystemanalysiseverpublished.Also,somepublicationsanalyzeaspecicpropertyindetail,usuallyappliedtotwoormoresystems.AdidaandNe[ 138 ]dene`ballotcastingassurance'asacomplementofuniversalveriability.Theythenanalyzetwoprotocolstoseeifthisrequirementissatised.Adidaalsodevelopedtheoreticalresultsfortheconceptof`uncoercibility'ofvoters,andthenprovedthatitissatisedinanewprotocolthatissuggested[ 139 ].Cetinkayaetal.[ 140 ]discusstheconceptsofvericationandvalidationinthecontextofe-voting.Shermanetal.examinedthevotevericationsystemsofseveralvotingsystemsfortheMarylandStateBoardofElections[ 141 ].Theirresultsmostlyndthatprivacyislackinginthosesystems.Eventoughtherearesomeredeemingfactorsformostsystems,ingeneraltheyalsoarenotassecureashoped-forinmanyotheraspects-somelessthanothers.Thisleadstotheconclusionthatnotonlythebasiccryptographicprospectsarenotinparwithwhatexpertsexpectandresearchers(inabroadsenseoftheword)makeavailable,butalsothatcertainsystem-widedeploymentandissueslikeaccessibility,reliability,datamanagement,electionadministration,andimplementationareglaringlyunsophisticated. 74

PAGE 75

Anotherresearchareanotstrictlypartofelectronicvotingbutcloselyrelatedtoourcurrentdiscussionisthestudyoftechniquesofsecurityanalysis.Thesepublicationsformabridgebetweencryptographicvotingsystemsandsecurityanalysismethodologyincryptography. Inabusecasemodeling[ 142 ],thethreatsareenumeratedonanad-hocbasis.Thismethodisusuallyusedduringthedesignphase.Attacktreemodeling[ 143 ]isamoresystematicmethod.Theso-called`FairlySimpleSecurityAnalysisandModelingMethodology(FaSSAMM)'isintroducedin[ 137 ]toassessthesecurityrisktothecompleteness,soundness,privacy,unreusability,eligibility,fairness,reliability,andveriabilityofvoting. Someattacksthataredetailedinthatworkareasfollows. 1. DistributedDenialofServiceAttack:Theattackersendstoomanyfakeconnectionrequeststhattheservercannotprocessthelegitimateones. 2. MaliciousCodeAttackonClient:UsingaTrojan,virus,orworminvadingtheuser'scomputerandmanipulatingthevotingprocess. 3. DomainNameSystemAttack:CorruptingtheDNS(domainnameserver),whichwouldresultinvotershavingtroubleconnectingtotheelectionsite. 4. AttackByCorruptVotingAdministrator:Varioustypesofattacksresultingfromanadministrator'smaliciousacts. Usingtheabusecasemodel,possiblethreatsareenumeratedanddetailed;thesynopsisofanattackincludethefollowingparts:ID,title,description,harm,attackers,visibility,violations,likelihood,preconditions,triggers,attackowofevents,alternativepaths,postconditions,comments,defensemechanisms,andadditionalinformation. GreenandAdler[ 144 ]liststheprincipalvulnerabilitiesofsecretballotvotingas:compromiseofelectionintegrity,compromiseofsecrecy,anddenialofserviceattacks.Threecategoriesofcountermeasuresarelistedas:protection,detection,anddeterrence. Threelevelofcountermeasuresareidentiedagainstvulnerabilities. 75

PAGE 76

1. ProtocolLevel:Focusesontheelectiondata.Thisisthelevelcentraltotheirthreatlevelanalysis. 2. ImplementationLevel:Focusesonthesoftwareandhardwareoftheelectiondevices,etc. 3. ProceduralLevel:Focusesondefensiveproceduresandprocessesthatwouldmaketheelectionmoresecure. Afterthisclassication,thepaperdescribestheattacktreesandthelistsofthedefensivecountermeasuresoftheprotocolagainsttheseattacksindetail. 4.7AnalysisofOurVotingSystem Inthissectionwepresentasecurityanalysisofourproposedprotocol,andalsoexplainthemethodologythatweuse.Werstspecifytherequirementsandassumptionsthatneedtobemade.Afterwards,wedetailhoweachoftherequirementsareprotectedunderthegivenassumption.Thisisdoneinasystematicway,arrangedbypresumedattackers.Asexamplesweanalyzeourproposedprotocolandasacomparison\Pr^etaVoter."Commentswillalsobeaddedforthe\Mercurimethod"systems. 4.7.1Requirements Tomakeanextensivesecurityanalysisofavotingprotocol,werstneedtofocusonwhatweexpectfromthesystem:therequirements.Anypotentialattackwilltargetoneormoreoftheserequirements,whichiswhyouranalysiswillstartlookingforpossiblescenarioswherethesecanbefullyorpartiallycompromised.Hence,werstneedtoagreeontheserequirements.Afterwardswewilllistthespecicrequirementsthatwillbeevaluatedinthispartofthedissertation,andassigncodestothemtomaketheactualevaluationeasier. 4.7.1.1Primaryrequirements Thesearetheusualkeyrequirements,whichareassumedtobecritical,andevenasmallpossibilityofasecurityriskisworthexamining. Correctness(Usedasacatch-allproperty,includingsoundness,accuracy,etc.) Uniqueness 76

PAGE 77

Privacy Fairness Receipt-Freeness(alsoincludescoercionresistance) Veriability(Universaland/orVoter) 4.7.1.2Secondaryrequirements Thesearetherequirementswhicharesecondaryintermsofpriority,ormeasureswhichcantakemanydierentvalues-inotherwordspropertiesthatdonotjusttakethevaluesof'satisfying'or'notsatisfying'.Thevotingprotocolisusuallylesssensitivetoattacksontheseproperties,althoughanysuccessfulattackwillatleastbeanuisanceandatworstbeasimportantasanattackononeoftheprimaryrequirements. Practicality Robustness 4.7.1.3Listofrequirements Herewegivecodesforeachrequirementtobeusedasshorthandintheanalysispart.Notethatweomituniqueness,asthatisassumedtobehandledbeforethevoterentersthevotingbooth.Thiswillbeincludedintherequirementslistlater.Furthermore,practicalityisalsonotlisted,asitisnotreallyasecurityissuebutratherausabilityissue. Oneimportantpointthatshouldberememberedisabouttheprivacyrequirement.Weareinfactassumingthatthevoterwillbeanonymouswhenenteringthevotingbooth(seeSection 4.7.2.5 ),however,thisisnotassumedtobeguaranteed,soweanalyzethesecurityofthesecondlayerofprivacytheprotocolitselfprovides. R1 Privacy R2 Correctness R3 Veriability(whereR3iisusedforindividualandR3uforuniversalveriabilityifthedistinctionisimportant) R4 Robustness 77

PAGE 78

R5 Fairness R6 Coercion-resistance 4.7.2AssumptionsandTrust Analyzingthesecurityofacryptographicprotocolrequiressomeassumptionsaboutthedeployedsystemtobeofpracticaluse.Thereasonforthisisthatinalmostallaspects,somesecurityrisksthatareapparentintheprotocolcaneasilybexedintheimplementation,oraprotocolthatseemssecurecanbemadeinsecureduringdeployment.Thereforemakingsomebasicassumptionsabouttheproceduresandsystemdeploymentonecangreatlysimplifythesecurityanalysis.Satisfyingsomeoftheseassumptionsarenottrivial,howeverinthatcasetheburdenofcomplyingisdelegatedtothesystemdesigners,proceduremodeler,andsoftwaredevelopers. 4.7.2.1TheDREandthevotingbooth TheDREisassumednottohavetheidentityinformationofthevoter,otherthanbeingabletorecognizeiftheuserisanactualregisteredvoterwhodidnotalreadyvote.However,theDREmightbecompromised,apossibilitythatisinthecenterofmostvotingprotocoldesigns. Thevotingboothsontheotherhandareassumedtobephysicallysecured.Theimplicationofthisisthatnooutsideentity(otherthantheDREandvoter)cangetanyinformationfromthetransactioninsidethevotingbooth.Furthermore,thevotercannotgetanyphysicalevidencefromthetransaction(forexampleapictureorvideo)fromthevotingbooth-otherthanthereceipt/ballotthatispartofthesystem.Thisisoneoftheassumptionsthatisnon-trivialtosatisfy,butisnecessaryforanymeaningfuldiscussionofuncoercibility(andotherproperties);solvingthisproblemisalmostimpossiblebytheprotocoldesignitself. Anotherassumptionthatneedstobemadeinmostelectionprotocolsisthein-feasibilityoflinkingvoterswiththespecicDREtheyuseforvoting.Thispreventsanylinksfromanidentitytoaspecicvote,incasetheDREiscompromised,preventing 78

PAGE 79

anycoercionaspects.Ofcourseitalsonecessitatesvotereducation,meaningthatthevoterneedstoknowthatevenintheunlikelyeventthattheDREiscompromised,thelinkcannotbeestablishedforcertain.(Probabilisticlinkscannotpossiblybeeliminated.)TherststeptoestablishthissecuritymeasureshouldbetohavemultipleDRE'sinadierentroom,makingsurethatitcannotbeestablishedwhichDREthevoterisusing. 4.7.2.2ElectionauthoritiesandDREsuppliers Specialassumptionsabouttheelectionauthoritiesareusuallyindicatedaspartofavotingprotocol.Havingnomorethann)]TJ /F1 11.955 Tf 12.46 0 Td[(kmaliciousoutofnauthoritiesisacommonrequirement,whichwealsoemploy.Thecommonsenseapproachwouldbetohaveauthoritiesselectedbyormadeupoffederalandlocalauthorities(fromvariousbranchesofthelocalandfederalgovernment)aswellasanumberofcivilrightsgroups.Thiswouldreducethelikelihoodofcollusionbetweentheauthorities. Anotherassumptionwithrespecttotheauthoritiesisthattheirtransactionsareconsideredcompletelysecure-whichagainneedstobesatisedbythesystemengineers.Theprocessingofkeysandmessagesneedtobedoneinasecureenvironment,preventinganyleaksaboutthekeyshare.Asthisisthepracticeinmanygovernmentandmilitaryestablishments,itspracticalapplicationshouldbefairlystraightforward.Thecommunicationbetweenauthoritieswillbecarriedoutbyusingthepubliclyreadablebulletinboard,forwhichthenecessarysecuritymeasureswillbeconsideredinthenextsubsection. 4.7.2.3Bulletinboard Theassumptionsaboutthebulletingboardarefairlystraightforwardandcommon.Weassumeasecurecommunicationchannel,whichactuallyonlyneedstobeone-directional.ThesecuritycanbebasedontheIP(InternetProtocol)level-likeIPSEC[ 145 ](Internetprotocolsecurity,)oratthetransportlayer-likeTLS[ 146 ](transportlayersecurity).Wealsoassumetheboardtoberead-only.Thismakesiteasytodeploydistributedbackups,whichcaninturnbeusedtoensuretheread-onlyproperty.The 79

PAGE 80

bulletinboardshouldalsogivewrite-accessonlytoregisteredvotingbooths,whichshouldbedoneusingauthenticationsupplementingpublicencryption. 4.7.2.4Voters Theassumptionsinsidethevotingboothnotwithstanding,thevotersareallpotentiallyincollusionwiththeDRE,theCoercerorAuthorities.Thisisinlinewiththeusualstandardofthevotersonlyauthoritybeingtherightforonevote.However,commonsensedictatesthatthenumberofmaliciousvoterswillbeverysmallcomparedtothehonestvoters,therebymakinganystatisticalattackinfeasible. 4.7.2.5Summarylistofassumptions A1 Thevoterisauthenticatedandauthorizedbeforeenteringthevotingbooth.Itisensuredthatnovotercanvotemorethanonce. A2 Neitherthevoternorthecoercerhaveawayofbringingoutanyproofoftheprocessinthevotingboothoutside,otherthanthereceiptthevoterwillbegiven. A3 TheDREhasnowayofsendingunauthorizedinformationtoanyotherparty.Thisassumptionisnecessaryasthereisnowaytopreventcoercioncryptographicallyotherwise.(NotethatsomeprotocolslikePr^etaVotergoaroundthisproblembynothavingtheDREknowwhichcandidateisvotedfor.Theusualapproach,however,istodelegatethisproblemtotheimplementationphasebysecuringanyincomingandoutgoingcommunicationsandlimitingthepotentialwaystostoreunauthorizedinformationaboutthevotingprocess.Additionally,increasinganonymityforthevotersenteringtheboothalsoreducesthepotentialimpactofthisweakness.) A4 Thepublickeyencryptionsystemusedissecure,andhasnoinformationalleakage. A5 Atmostn)]TJ /F1 11.955 Tf 11.95 0 Td[(koutofnauthoritiesareassumedtobemalicious. A6 Voterswillbeanonymouswhenenteringthevotingbooth,andthepossibilityofrecoveringtheidentityofavoterwillbeminimal. 80

PAGE 81

4.7.3AttackerBasedAnalysis Anyvotingsystemneedstohaveathoroughsecurityanalysiscarriedoutbeforeitcanbeusedinpractice.Inthisandthenextsectionpotentialattacksandvulnerabilitiesandourprotocol'sdefendsagainstthesewillbeanalyzed.Theanalysisiscategorizedbyattackers.Thissectionwillbelimitedtopossibleattackscarriedoutbyindividualattackers.Inthenextsection,collusionattacks,whichareusuallythemostdangerousattacksandthereforechallengingtodefendagainst,willbeanalyzed. Therearenoassumptionsmadeabouttheattackers.Theytrytoactivelyuseanyvulnerabilityofthesystemtoattackthesystemanywaypossible,fromcoerciontolearninghowaparticularvotervoted,topreventingthesystemtofunction.Therearenoassumedlimitsontheirwillingnesstotakingriskornancialpower,butthemorethesearerequired,theweakertheattackpossibilityisassumed. Ouranalysiswillbemadebasedontheattacker,andeachtheusualkeysecurityrequirementsofavotingsystemwillbeanalyzedifrelevant.Privacy,correctness,veriability,robustness,fairnessandreceipt-freenesswillbethemajorrequirements,aslistedbefore. 4.7.3.1Attacksbythevoter Asthevoterhasverylimitedpower(otherthanbeingabletovote),hiscollusionwithotherpartiesisusuallynotaseriousissue.TherequirementsR1andR3iarerequirementstoprotectthevoter,sotheseneednoprotectionagainstthevoter.R2isnotanissue,becausetheDREmakesanynecessarychecks-andinfactthevoterwillusuallyonlyneedtopushbuttons,preventinganypossiblefoulplay.R4canbeattackedbyavoter,butonlyinthesenseofdamagingthesystem,anattackwewillignore.R5isalsonotrelevant,asthevoterdoesnothaveanyadditionalinformation(abouttheothervotesorthestatusoftheelection)thattheDREdoesnothave,soevenacollusionwouldnotbeuseful. Togetareceiptandbeabletoprovehisvote,avotercantakepicturesofthepaper-ballot.ButthisisassumednottobepossiblewithassumptionA2.Usingthe 81

PAGE 82

receipt,aproofcannotbecreatedeither,astheonlyworkingpartofitwouldbec(x,y)fortheselectedcolumnandrow.Howeverthisstringwillbeencrypted,andshouldnotleakanyinformation(A4).Anothertypeofattack,knownasforcedabstentionorrandomizationattacks,arealsonotpossibleasmentionedbefore.Thereasonisthatthevotercanaskforasmanyrandommatrixgenerationsaspossible,andcandothisuntilthepreferredcandidateisontheexpectedspot. OneotherriskworthmentioningwouldbethecollusionwiththeDREtogetareceiptthatcanbeusedasaproof.However,iftheDREismalicious,privacyisalreadyatrisk(theDREnecessarilyknowswhothevotervotedfor),sothehelpofthevoterisnotsignicantinreducingthepoweroftheattack.TheassumptionA3islistedsoastounderscorethisweakness. 4.7.3.2AttacksbytheDRE Asmentionedbefore,theDREwillknowwhothevotervotedfor,sotheA3assumptionisneededforprivacy. Forthecorrectnessrequirement,considerthecasewheretheDREistryingtosubmitawrongvote.Thisispreventedbythevoterobservingifthereceiptsarewell-formed,i.e.,iftheopenedcommitmentsshowthesamecandidatenamesastheydidinitially.Fortherobustnessrequirement,theDREcantrytopreventvotingorsubmittingacorruptvote:ThisistheDoSattackmentionedbefore.Likeallvotingprotocols,therearemanywaysaDoSattackcanbelaunched,especiallyusingtheDRE.Thekeyistominimizetheriskandhavewelldesignedprocedurestodealwiththesepotentialproblems.ThemainissuewillbethevotessubmittedusingtheproblemDRE,astheirreliabilityhavediminished. 4.7.3.3Attacksbytheauthority R1andR6arenotvulnerabletotheauthority,astheencryptedvotesaretheonlyimportantdatatheyreceiveandthesearecompletelyanonymous.R5isprotectedbythefactthatthethresholdsystemrequireskoutofnauthoritiestodecryptandciphertext(A5).Theauthority'smainpurposeistodecrypttheencryptedvotesusingthe 82

PAGE 83

mix.Howeverthemixisdesignedtopreventanyoneauthorityfromeasilycheatingbychangingorcorruptingsomevotes(R2,R3,R4).Thisisdonebyhavingtheauthorityprovethecorrectnessofthemixes.Asweonlyneedkoutofnauthoritiestocorrectlymix,thepotentialriskcomingfromtheauthoritiesisverylowandassumednon-existentbyA5. 4.7.3.4Attacksbythecoercer R2,R4andR5arenotinthescopeofthecoercersattack.Foralltheotherthreerequirements,considerthatthecoercer,beingatheoreticalparticipants,hasnopowerduringtheelection,andassuchitsattacksareonlyinterestingwhenthereisacollusionwithanotherparticipantintheelectionprocess.Whenweconsiderthecollusionofthevoterandthecoercer,theproblemreducestohavingthereceipt-freeproperty,whichourprotocolhas.Infact,thisscenarioisbasicallywhatthispropertyisdesignedtoprotectagainst.Ifthevotercannotprovehowhevoted,thisattackcannotbecarriedforward.Toseewhythereceipt-freepropertyholds,considerwhatinformationthecoercermightgetassumingnocollusionwiththeDREorauthorities.Hecangetthereceiptfromthevoter,andalsothecontentoftheBBrelatedtothevoterssessions.Thesewillincludealltheopenedcommitments,whichwillnotleakanyinformation.Theonlyotherinformationhewillgetaretheencryptedvotec(x,y)andtheindex(x,y)oftheselectedvotefromthematrix.Sincetheindexisrandom,ineectheonlyhastheencryptedvote,whichisassumedtobesecureandcannotbeusedtogatheranyinformationaboutthevoteitself.Anotherpotentialattack-theforcedabstentionattack-wasmentionedbefore.However,havingtheoptionofregeneratingthematrixgivesanyvotertheoptionofselectingtherequiredindexfromthematrixwhileatthesametimevotingforthepreferredcandidate. 4.7.4Collusions Thissectionisthemoreinterestingone,asmostinterestinganddiculttodefendattacksareaproductofvariouscollusions.However,sincemostsuchattackswillhaveaprincipalattacker,sothatthesecondpartyhasonlyalimitedcontributiontotheattack,ouranalysiswillbemadesimplerbyuseofourconclusionsfromtheprevioussection. 83

PAGE 84

4.7.4.1Voterandcoercer Thecoercerandvoterbeingincollusionbringsthequestionofapossiblevotebuying.Todothis,thevoterneedstoprovehisvote.Assumingnowrite-inballots(attackswhenwrite-inballotsareusedaredealtinthenextchapter)thereisnowaytousethepaperballotasaproof,asthevoterhasnoaccesstoit.Theelectronicvotepartontheotherhandismoresusceptibletosuchanattack.However,withpossibilityofrestartingtheprocess(asexplainedbefore),thevoterhasnowaytoactuallyprovewhohevotedfor. 4.7.4.2DREandauthorities Asanyauthoritytakingpartintheelectiondoessobyusingasharedencryptionprotocol,theirpossibilityofmaliciousnessislimited.Gettinganyinformationontherandomnessusedforasetofvoteswillnotleadtoanyweaknesses,asthevotesaresummed,andtheresultingtallyhasrandomnessfromotherDRE'swhichineectmakestheknownrandomnessuseless.(Asananalogythinkofthreerandomnumbersr1,r2andr3.Knowingr1givesnoinformationaboutthesumr1r2r3oraboutanyofr2orr3. 4.7.4.3DREandcoercer Aswementionedbefore,theproblemwhentheDREismaliciousisaproblembyitself,buttheseriousnessofthisproblemonlymanifestsitselfwhenthereisacollusionwiththecoercer.Aswithmostvotingprotocols(wheretheDREknowswhothevotervotedfor),thereisnotmuchthatcanbedonetodenitelydefendagainstvote-buying.TheonlyremainingpossibledefenseistopreventtheDREfromsuccessfullyinformingthecoercerofthevoter'schoices.This,however,canonlybepreventedbyusingsophisticatedsoftwareengineeringpractices.Onedefenseistolimitanysubmittedinformation,includinganyinformationsecretlyhiddeninsidevaliddata.ThishowevercantosomeextentbelimitedbyhavingtheDREpublishitsrandomnumbergeneratoraftertheprotocolisnished.Ofcourse,thisapproachcanopenit'sowncanofworms(meaningthatallrandomnumbersgeneratedwillneedtobeaccountedfor,whichwillrelayinformationaboutalltheexchangesmadebetweentheDREandthevoter. 84

PAGE 85

4.7.4.4Authoritiesandcoercer Thecoercerisinterestedinanyinformationaboutwhoacertain(orany)votervotedfor.However,asmentionedbefore,theauthorityonlyactsaspartofagroup,andhasinpracticenoaccesstoanysecretinformationthatcanbeusedforthispurpose.Hereweassumethatkoutofnauthoritiesarenotmalicious,andassuchthesecurityofthesecretsharingschemeprovidesuswiththeknowledgethatthefewsharesofthesecretthemaliciousauthoritieshavedonotleakanyinformationaboutthemasterkey. 4.7.4.5DRE,authoritiesandcoercer HavingtheDRE,theauthorityandthecoercercolludeallatonceistheultimatetestforavotingprotocol.However,inourcasetheargumentagainsttheAuthority,havinglimitedpowerthatisofnogreatpracticalusestillapplies,practicallyreducingtheproblemtothecollusionofDREandCoercercase. 4.7.5Recovery OnelastimportantpointrelatedtosecurityisthepossibilitythatamaliciousDREorevenauthoritytriescheatingbutiscaughtbyoursafeguards,eitherbyafailingdemonstrationofcommitmentsorbyanincorrectproofofcorrectness.Inthesecasesthereneedtobeprinciplesandrulesineectthatwillhandlethesesituationswithmaximumsecurityandminimumdisruptionofthevotingprocess. Firstofallthemaliciousormalfunctioningunitsshouldbebannedfromtheelection.Inthecaseofanauthority,theprotocolcancontinuetofunctionproperlyandwithnopotentialhazard.InthecaseofaDRE,theproblemismorecomplicated.ThepossibilityoftheDREhavingmanagedtocheatbeforegettingcaughtisarealproblem,andmustbedealtwith.Themoststraightforwardandtrustworthymethodwouldbetousethepaperballots,insteadofusingtheelectronicvotes.Sotheelectronicvotesshouldbeinvalidated,andthepaperballotsshouldbemanuallycountedandaddedtotheendtally.Ofcourse,tobeabletodothissmoothly,thesystemengineersshouldconsiderthispossibilityand 85

PAGE 86

implementmanualoverridestoaccomplishthisfunctionalitywithoutcausingmajorproblems,shouldtheneedarise. Thelaststepinthecaseofamalicious/malfunctioningDREwouldbetoanalyzeittondoutthereasonoftheproblem.Theinformationgatheredshouldnotonlybeusedtondoutifanymaliciouspartyisinvolved,butalsotochecktheDREsinworkingconditiontomakesuretheydonotexhibitsimilarsignsandarepotentiallycompromised. 4.8Conclusion Paper-basedvotingsystemshavebeenusedforcenturiesnow,andwaystopreventcheatinghavebeenfoundandimplementedovertheyears.However,eventodaythesesystemsarestillnotperfect,andsuchwebelievethatperfectionfromelectronicsystemsshouldnotbeexpectedeither.Althoughpuree-votingsystemsmightstillbeinneedofmorestudiesbeforetheycanbeclassiedassecureaspapersystemsbymostpeople,webelievethatahybridsystemliketheonepresentedheremightbeasteppingstoneuntilthatdayarrives. Inthischapterwepresentedavotingprotocolframeworkthatcombinesthreepopularconceptsinthearea.Thersttwoarethehomomorphicencryptionschemesandsupportingvoterveriablereceiptswithoutgivingupthereceipt-freenessproperty,whichisofkeyimportance.Thethirdconceptthatwasaddedistheuseofactualpaper-basedballotsaspartofanelectronicvotingsystem.Althoughwearenotawareofalltheseconceptsbeingusedinasinglevotingprotocol,ourmaincontributioninthatdirectionisthedemonstrationthatthesynergyofthesetoolsadduptomorethanthepartsthemselves. Perhapsthemostimportantcontributionwepresentedinthischapterisourpartiallinksofe-ballotsandpaper-ballots,makingthewholegreaterthanthesumofitsparts,whenitcomestousingtheMercurimethod.Thiscanbeusefulwhencountingallthepaperballotsaredeemedtobetoomuchwork,especiallysincetheelectroniccountwillbereadysoonaftertheelectionended.Butenhancingtheuseofthepaperballotsby 86

PAGE 87

makingthemdirectlyauditablerecordsandnotjustafall-backforpossiblerecountsisawelcomeadditionalbenet.Thiscanbeusedbypollwatchersandauditorstoensuretheconsistencyofelectronicandpapervotes,therebyincreasingthelevelofsecuritywhentheelectronicvotesareusedastheprimarycount. Thesecurityanalysisanditsmethodologycanbeconsideredafurthercontributiontotheeld.Althoughsomedetailedsecurityanalysiswerecarriedoutforsomevotingprotocolsbefore(mainlycommercialprotocols),ouruseofmultipleclassication(attackers,coercion,players,trust)givesadierentperspectivetovotingprotocolanalysisspecicallyandcryptographicprotocolanalysisingeneral.Webelievethatouranalysismethodologywillalsobeusefulevenforothervotingprotocolsinthefuture.Theusesoftheanalysisisnotlimitedtoprotocoldesignersbutalsotosystemdesignersandsoftwareengineersworkingonaprotocolimplementation. 87

PAGE 88

CHAPTER5WRITE-INBALLOTS 5.1IntroductiontoWrite-inBallotSupport Severalelectionconstituencies(mostlyintheUnitedStates)givetheelectoratetheoptiontovoteforwrite-incandidates.Supportingthisnotioninelectronicvotingprotocolsisoneofthegoalsofcurrentresearch.Previouslypopularblindsignaturebasedschemeswereabletosupportwrite-incandidatesrathereasily[ 77 ],howeverwithmix-netandespeciallyhomomorphicencryptionbasedsystem,thisbecamemoreofachallenge.Becausesupportingwrite-incandidatesisgenerallynotconsideredtobeakeypropertyandthedicultiesassociatedwithsupportingbothwrite-incandidatesandcoercionresistancesimultaneously,manycurrentprotocolsdonotsupportthisproperty. Supportingwrite-inballotsinhomomorphicencryptionbasedschemesisconsideredtobeanespeciallydicultchallenge,mainlysinceintheseprotocolsthevotesarenotdecryptedbeforetallying,theyareaddedupinencryptedformandthendecrypted,whichwouldnotworkwithwrite-invotes.Ontheotherhandhomomorphicencryptionbasedprotocolscarryseveralusefulpropertieshardtoachieveinothermethods,likeeciencyandimprovedprivacyresultingfromthefactthatindividualvotesarenotdecryptedseparately.Supportingwrite-inballotsinhomomorphicencryptionbasedsystemswasrstachievedbyKiayiasandYung[ 52 ]withthevector-ballotapproach.Unfortunatelytheirmethodonlysupportsuniversalveriabilityandnotvoterverication.Severalotherprotocolsalsosupportwrite-inballots,yettheyeithercannotsatisfyoneofthetwokeyassumptions(uncoercibilityandveriability)ortheyarefarfrompractical. Theprotocolweproposesupportsbothwrite-inballotsandvoterverication-whichhasbeenconsideredakeyrequirementinthelastfewyears[ 72 121 ],althoughitisprimarilybasedonhomomorphicencryption.Itisbasedonthesameframeworkasthevector-ballotapproachdevelopedbyKiayiasandYung[ 52 ],butitincorporatesanovelmethodforwrite-inballots.Theunderlyingmachineryofthewrite-insupportusesthe 88

PAGE 89

sameconceptofChaum'sPret-a-Voterprotocol[ 71 ],butthemethodtousethismachineryforwrite-inballotsisrstdevelopedhere. 5.2PreviousWork Acquisti'sprotocol[ 78 ]isthersthomomorphicencryptionbasedprotocolthatsupportswrite-inballots,howeverthatprotocolisagenericprotocol,ratherthanonedesignedwithspecicrequirementsinmind.Whileitmightbeagoodchoiceforonlinevoting,itisnotsucientlysuitableforprotocolsbasedonDREmachines.Ofvotingsystemsspecicallydesignedtobeusedinrealelections,KiayiasandYung'sprotocol[ 52 ]isthersthomomorphicencryptionbasedprotocolsupportingwriteinballots.Howeveritdoesnotsupportvoterverication.Oursystemisbasedonthisprotocol,butsupportsvoterverication.Althoughnotnecessarilyproposingnewprotocols,[ 147 { 149 ]containanalysisofwrite-inballotsupportingprotocols. Acquisti'sProtocol[ 78 ]satisesmostpropertiesthatoursystemdoes.Butitseemsliketheprotocolassumesthatvotershaveaccesstoasecurecomputationdeviceforencryptionanddecryptionpurposes.Assumingsuchdevicesarenotallowedtothevotingbooth,itisunclearifthevotercanverifythecomputationsdonebytheDREusedforthispurpose. Somenon-homomorphicencryptionbasedsystemssupportwrite-inballotsaswell.Oftherelativelymorerecentones,Threeballot[ 122 ]supportswrite-inballots,thankstoitsnon-cryptographicdesign,butthissamereasonalsocausestheprotocoltolackinpracticality.Klonowskietal.[ 150 ]reformulateChaum'svisualvotingschemeandstatehowwrite-invotesaresupported.Hospsuggestsawaytoaddwrite-invotestoPunchscan[ 125 ]. Amajorproblemwithsupportingwrite-inballotsisthedicultyofpreventinginformationleakage.JuelsandJakobsson[ 114 ]arguethatsupportingwrite-invotespreventscoercionresistancebecauseofthisproblem.Thereprobablyisnogoodwayofcompletelypreventingthisattack,howeverwebelievethatthesameproblemsexistin 89

PAGE 90

paper-basedelections,whichdidnotcauseanycriticaldebatesinthepast,sowebelievethatbyacarefuldeploymentprocedurethisweaknesscanbegreatlymitigated.InSection 5.6.1 ,wegivesomepreventativemeasuresagainstthistypeofattack. ThevotingsystemdesignedbyAndrewNeforthecompanyVotehere[ 72 ]alsosatisesthevoter-veriabilityandcoercion-resistanceproperties,butdoesnotsupportwrite-inballots.Itistheonlycommercialsystemsupportingcryptographicvotervericationwithdetails(sourcecodeandextensivedocumentation)madepublic.Itisbasedonmix-netsandthecryptographicreceiptisgeneratedusingthecut-and-choosemethod,similartothemethodusedinourprotocol.ForsomepotentialsecurityrisksrelatedtothisprotocolorPret-a-VoterwhenconsideredasacompletesystemseetheanalysiscarriedoutbyKarlofetal.[ 81 ]. 5.2.1Vector-BallotApproachbyKiaiyasandYung Thisprotocoldoesnotassumevotingisdoneinavotingbooth,butitcanbereadilyusedwiththatassumption.Thisassumptionwouldalsomaketheprotocolcoercion-resistant,withouttheneedforrandomizers[ 25 ]whichtheauthorsmentionedasanotherpossiblesolution.Themainnewideaisthesupportofwrite-invotes.Tothisendtheauthorsproposeacomposedballot{thesocalled`vectorballot.'Sinceeitheronlyapre-listedcandidateoronlythewrite-inpartshouldbeusedbyeachvote,awaytoinsureballotvalidityandregularityisrequired.Thisissolvedusing`provablyconsistentvectorballotencodings.'Thetwodierenttypeofvoteswillbetallieddierently,theregularvotesusinghomomorphicencryption(thereforeeciently),andthewrite-invotesbymix-nets.Thedetailsofthisprotocolwasgiveninthepreviouschapter,sothereaderissuggestedtoreviewthatdescriptionbeforecontinuing. 5.2.2Pret-a-Voter Asourconstructionforthewrite-inballotsborrowscloselyfromthePret-a-VoterprotocolinventedbyChaum,wegiveadetaileddescriptionofthesystem,buildingontheshorterdescriptiongiveninSection 4.4.4 90

PAGE 91

5.2.2.1Introduction ThisprotocolisapracticalimprovementonChaum'simagebasedprotocol[ 71 ],andisbasedonanideafrom[ 151 ].Oneofthekeypointsofthisprotocolisthatthevotingdeviceneverlearnstheintendedvote,therebyeliminatingseveralsecurityrisksdirectly.Thepre-preparedballotshavewhatiscalledanonion,whichisanencryptedformoftheorderthecandidatesarelisted.Theuserselectshiscandidatefromashuedlist,marksitinthevotingbooth,andonhiswayout,dropspartoftheballotintothevotingbox.Thispartdoesnothavethecandidatelist,soanymaliciousentitytryingtouseitwithoutdecryptingtheonionwouldnotbeabletogetfar,asitwouldbeimpossibletoknowforwhichcandidatethevoteisfor.Theselectedcandidatecanonlybeseenaftertheencryptionisopened-whichhappensafterananonymizingstep.Thepartoftheballotthatthevoterkeepsisusedasareceipt-itcannotbeusedtoprovewhichcandidatewasselected,butitcanbeusedtoverifythatthecorrectencryptedvotewassubmittedtotheserver.Themainissuewiththisapproachistheextensiveneedforsettinguptheballotsandtheimpliedcomplexity,whichcausesanincreaseofpotentialpitfallsandadecreaseinperceivedsecurityof(andbyextensiontrustto)thesystem. 5.2.2.2Overview Theballotsinthisprotocolconsistsoftwoseparableparts.Onepartwillhavearandomlyorderedlistofthecandidates.Theotherpartwillhavethesocalledonion,whichcanbeusedtoreconstructtheordering.Thissecondpartisalsowherethevotermarkshischoice.Theseballotswillbedistributedbeforetheelectionstarts,andtheywillberandomlyauditedforcorrectness.Inthevotingbooth,thevoterwillseparatethetwopartsoftheballot,andfeedthepartwhichhastheonionintothevotingmachine.Sincethevotingmachinewillnotseetheordering,itwillnotknowwhichcandidatethevoterisvotingfor. Asthesecurityoftheelectionwoulddependonthecorrectnessoftheballots,auditingtheballotsbeforetheelectionisanintegralpartofthisprotocol.Thereare 91

PAGE 92

severaldierentchecksforcorrectballotconstruction,eachwithadierentlevelofthoroughness.Hereisalistandbriefdescriptions: SingleDummyVote:HereAnnejustcastsadummyvote,andsendsthereceipttothetellers.ThetellersopenthevoteandinformAnneoftheapparentvote. MultipleorRankedDummyVote:Thisisverysimilartothepreviousonerepeatedseveraltimesinsuccession. Giventheonionvaluethetellersreturnthecandidateordering Returntheseed,andrunthecheckingalgorithmtoseeifitiswell-formed:Unliketherstthreechecks,thisoneisnotreadilyvulnerabletocollusionattacks.Thismode4checkisdescribedindetailinthepaper,butoneassumptionthatismadethatstrengthensthisauditisthattheonionfunctionisbijective. Oncetheballotiscast,thevotingdevicesubmitsthevote(sameasthereceipt)tothebulletinboard.Thetellersthenstarttoprocessthevotes,bydecryptingtheirpart.Attheendtheplainvoteswillbepublished,butthelinkstotheinitialreceiptswillbelost. Checkingthatthevoterecordingdevicesworkcorrectlyisdonemostlybythevoters,whocanverifyiftheirreceiptsarepostedonthebulletinboard.Itshouldalsobecheckedthatnoextravoteiscast,whichcanbedonebycomparingthecountsand/orbyuseofdigitalsignatures.Checkingonthetellersiftheyperformedthemixcorrectlyisdonebyrandomlypickingeithertheincomingoroutgoingedgeforeachvoteandaskingthetellertoverifycorrectness.Sinceeachtellerperformstwomixes,thisdoesnotcompromiseprivacy. 5.2.2.3Set-up Theauthoritycreatesalargeamountofballots,wherethecandidatesarelistedinaxedorder(butstartingatarandomindex)ontheleftsideandwithspaceforthevotertomarkhischoiceontherightside.Therightsidealsocontainsthesocalledonion,forwhichthedetailswillbeexplainedlater.Theseballotsaredistributedandsomerandomaudits(whichwerebrieyexplainedintheprevioussection)canbeperformedtomakesureoftheircorrectnessandsecurity. 92

PAGE 93

5.2.2.4Ballotconstruction Foreachballot,theauthoritygeneratesaseed,acombination(concatenation)of2kvalues(assumingktellers),whichwillbecalled`germs'andrepresentedasgi.Theseedwillnowbeasequenceofthesegerms,soseed=g0,g1,g2,...,g2k)]TJ /F4 7.97 Tf 6.59 0 Td[(1Theosetwillthenbecalculatedfori=0,1,2,...,2k)]TJ /F1 11.955 Tf 11.96 0 Td[(1asdi:=hash(gi)(modv) Thecyclicosetisthencalculatedbytakingthehashvaluesofthesegermsandaddingthemandnallytakingthemodulov-wherevisthenumberofcandidates.So:=2k)]TJ /F4 7.97 Tf 6.58 0 Td[(1i=0di(modv)Also,tobeusedinthenextphase,eachtellergeneratestwoprivate-publickeypairs. Now,thersttellertakestherstgerm,appendsarandomvalueandencryptsitusinghisrstpublickey.Hethenprependsthesecondgermtothisandencryptsitagain-thistimeusingthesecondpublickey.Afterwards,hesendstheresulttothenextteller.Alltellers(inapredeterminedorder)repeatthisprocess,andthenalresultistheonion.Sotheonioncanbegivenbyfg2k)]TJ /F4 7.97 Tf 6.59 0 Td[(1,fg2k)]TJ /F4 7.97 Tf 6.59 0 Td[(2,...,fg1,fg0,D0gPKT0gPKT1...gPKT2k)]TJ /F10 5.978 Tf 5.76 0 Td[(2gPKT2k)]TJ /F10 5.978 Tf 5.76 0 Td[(1 OritcanbegivenastheequationsDi+1:=fgi,DigPKTiOnion:=D2k 93

PAGE 94

5.2.2.5Tallying Onthebulletinboard,therstcolumnwillbeexactlyliketheprintedreceiptsheldbythevoters:anonionvaluewiththeselectedcandidatessecretindex(Di)andtheorderoftheselectedvoteintheorderinggiven(butencrypted/encoded)bytheonion(ri).Thissamecolumnisnowpassedtotherstteller.Now,eachteller,takingtheprevious(D,r)pairappliesthefollowingprocedure: 1. Applyitsrstprivatekeytogetthegermandtheonion:g2i)]TJ /F4 7.97 Tf 6.59 0 Td[(1,D2i)]TJ /F4 7.97 Tf 6.59 0 Td[(1=fD2igSKT2i)]TJ /F10 5.978 Tf 5.76 0 Td[(1 2. Applythehashfunctiontothegermvaluetogetd2i)]TJ /F4 7.97 Tf 6.58 0 Td[(1=hash(g2i)]TJ /F4 7.97 Tf 6.59 0 Td[(1)(modv) 3. Getthenewrvaluebyr2i)]TJ /F4 7.97 Tf 6.59 0 Td[(1=r2i)]TJ /F1 11.955 Tf 11.96 0 Td[(d2i)]TJ /F4 7.97 Tf 6.58 0 Td[(1(modv). Afterhavingcompletedthisprocedurewithallpairs,thetellerappliesasecretpermutationandpoststheresulting(D,r)pairstothemiddlecolumn.Thetellernowrepeatsthesameprocess(includingtheprocedure,shuingandposting)to(D2i)]TJ /F4 7.97 Tf 6.59 0 Td[(1,r2i)]TJ /F4 7.97 Tf 6.58 0 Td[(1),resultinginthepairs(D2i)]TJ /F4 7.97 Tf 6.58 0 Td[(2,r2i)]TJ /F4 7.97 Tf 6.58 0 Td[(2),whichwillbepostedtothelastcolumn.Thenalpairwillbearepresentationofadecryptedvotesothateverybodycanseethenalresults. 5.2.2.6Securitychecks Toinsuretheauthenticityoftheballotsoneormoreofthefollowingchecksshouldbeapplied: CheckingtheAuthority:Themainmethodtochecktheauditorsistocheckthecorrectnessofsomeballotsbeforetheelection. CheckingtheVotingDevices:Thisismainlydonebythevoters,whocheckthebulletinboardtoconrmthattheirreceiptsappearcorrectly. CheckingtheTellers:Eachtellerwillbeauditedbyanauthority,whowilltakethemiddlecolumnandchallengethetellertoproducetheincomingoroutgoinglinkrandomly.Thismakessurethatthelikelihoodofanymis-transformationisverylowwhileretainingthesecretpermutation,thankstothetwostepshueperformedbyeachteller.FordetailsseeSection 5.2.2.7 94

PAGE 95

5.2.2.7Checkingtheteller Foreachteller,theauditorgoestothemiddlecolumn(therstcolumnbeingtheinput,thelasttheoutputandthemiddlecolumnbeingahalf-completedmix,i.e.,onlyoneofthetwomixesisdonebythatteller)andassignsRorLtoeach(r,D)pair.ForeachRthetellerprovesthecorrectnessofthesecondmix(orshue)andforeachLtherststep.Thisisdonebythetellergivingthegermvaluegi.Asri)]TJ /F4 7.97 Tf 6.59 0 Td[(1andDi)]TJ /F4 7.97 Tf 6.58 0 Td[(1aswellasriandDiarealreadypublished,theauditorcancheckthatDi=fgi)]TJ /F4 7.97 Tf 6.58 0 Td[(1,Di)]TJ /F4 7.97 Tf 6.59 0 Td[(1gPKTi)]TJ /F10 5.978 Tf 5.76 0 Td[(1andri)]TJ /F4 7.97 Tf 6.59 0 Td[(1=ri)]TJ /F1 11.955 Tf 11.95 0 Td[(hash(gi)]TJ /F4 7.97 Tf 6.59 0 Td[(1)(modv). Toconcludethissection,weagainpointoutthatneitherofthesesystemssupportwrite-inballotswhilepreservingthereceipt-freenessandveriabilityrequirementsinapracticalmanner.Inthenextsectionwedescribeourproposedprotocolthatwillgiveanotablesolutiontothisproblem. 5.3OurContribution:SupportingWrite-inBallots Inthissectionwegivethedescriptionofourproposedprotocolforsupportingwrite-inballotsinhomomorphicencryptionbasedvotingprotocols.Thedetailsandasampleprotocolconstructedusingtheprotocoldescribedinthepreviouschapterwillbegiveninthefollowingsections. Thebasicideaofourprotocolistohaveballotswithtwoparts:oneforpredeterminedandoneforwrite-incandidates.Afterinsuringthatnoballotisusingbothpartsatthesametime,theballotpartswillbeseparated.Therstpartwillbetalliedusinghomomorphicencryptionandthewrite-inpartwillbetallieddierently.Thewrite-inpartwillbeencodedduringthecastingphaseusingadierentandarbitrarypermutationofeachletter.Thepermutationwillbeencryptedusingamix-net.Thesamemix-netwilldecryptthepermutation,andarriveattheplaintextwrite-incandidatename.Duringthemix-net,thelinkbetweentheencryptedandplaintextvoteswillalsohavebeenlost. 95

PAGE 96

5.3.1Setup Thewrite-inballotformswillbepreparedandprintedbeforetheelection.Theywillbedistributedtothevotingbooths,butcaremustbetakenthatonlyocialonesareactuallyinthebooth.Randomlysamplingtheseballotsandcheckingtheirconstructionshouldbepartofthesecuritymeasurestaken[ 71 ].Theballotsthemselveswillbeconsistingof4parts.Themainpartwillbeagridofkl,wherekisthesizeoftherequiredalphabet(probablytheEnglishalphabetalongwithspecialcharacterslikespaceandpunctuationmarks),andlisthemaximumnumberofcharactersawrite-innamecancontain.Thegridwillbelledwithsymbolsfromthealphabet,suchthateachcolumnwillhaveeachsymbolexactlyonce,inarandomorder.Thetopofthegridwillhavelboxes,alignedwiththecolumns,forthenameofthechosencandidate,andwillbemainlyusedtofacilitateconstructingtheciphertext.Theleftpartwillconsistofthealphabet,inorder,andalignedwiththerows.Thisalsoisforaidingthevoterinconstructingtheciphertext.Atthebottomwillbeadetachablepart,consistingoflalignedboxesfortheciphertext,alongwiththeonion,whichwillbeexplainedindetaillater.Ineecttheformwillbeaone-timepad,andthevoterwillneedtomaketheencryption.Thiswillarguablybetoocomplicatedformanyvoters,butwithacleardesignandeasytofollowinstructions,themajorityofvotersshouldbeabletodoitwithinaminute.Consideringthefactthatmostvotersdonotusethewrite-inpart,thisshouldnotbetooseriousaconcern. InFigure 5-1 thesampleballotshowshowavoterwishingtovoteforcandidate\BOB"wouldworkouttheciphertext.Thelowerpartthatwillbefedtothedeviceiswherethestring(ciphertext)\DLK"andtheonionappears. 5.3.2Participants Theparticipantsinthisprotocolarethesameastheoneswedescribedinthepreviouschapter: BB:Thepublic`read-only'bulletinboard 96

PAGE 97

Figure5-1. Samplewrite-inballot VD:Thevotingdevice V:Thevoter Ai:Theauthorities 5.3.3ProtocolOverview Setup.Usingathresholdhomomorphicencryptionfunction(forexamplePaillier),theauthoritiesA1,...,AmgeneratetheirsecretsharesandalsopublishthepublickeytotheBB. 97

PAGE 98

Casting.Afterthevotergetsintothevotingbooth,VDpresentsadngridtothevoter,wheredisasecurityparameter.Eachrowcontains(inrandomorder)allofthecandidates,pluspossiblyoneforabstainingandonefor`write-in's.Ifthevoterrequests,VDgeneratesanothergridwiththesameproperties.Thispreventsaforced-abstentionattack[ 114 ],i.e.,preventstheCoercertoaskthevotertovoteforaspecicrowandcolumntherebyeectivelyrandomizinghisvote.(Thisattackwasnotmentionedin[ 126 ])Oncethevoterconrmsthatheissatisedwiththematrix,heconrmsandwaitsfortheVDtoprintacryptographiccommitmenttothegrid.Thesecommitmentsessentiallyfollowthesamelinesas[ 126 ],andinsureswithd)]TJ /F4 7.97 Tf 6.59 0 Td[(1 dprobabilitythatthevotewillbecastasintended.Thevoterthenselectshischoice,afterwhichVDopensalltheunchosenrows,andalsoprintsthechosenrowandcolumn. Atthispointoneimportantpracticalweaknessisapparent.Asinsomesimilarsystems[ 72 ],thevoterneedstomakesurethatwhileselectinghischoicetheVDdoesnotchangetheunselectedrows,whichwouldbecausedbytheVDtryingtocheat(althoughitmightormightnothavesucceeded,dependingonwhethertheselectedrowwaschangedaswell).Butnodefenseagainstthiswasmentionedinpreviouspublications,althoughtheriskofsimilarpossibleattackswerementioned[ 126 ].Onepossiblewaytocircumventthisattackis(withaminorcostofsomeinconveniencetothevoter)toletthevoterdeselecteachnon-chosenrow,ratherthanselectingthedesiredrow.Thiswillmakeitpossibletofocusonthecorrectnessofallrows,soacheatingVDwillbecaughtwiththetheoreticallycalculatedprobability. Ifthevoterdecidedtovoteforawrite-incandidate,hellsoutawrite-inballot,removesthetoppartanddiscardsit,thensubmitsthelowerpartwiththeencryptednameandoniontotheVD.InthatcasetheencryptednamewillbesubmittedtotheBBasgiven,otherwiseitwillbeanencryption(withthepublickeyoftheAuthorities)of0. BallotSubmission.OncetheVDhasthevoter'schoice,heformsthevectorballotsasdescribedin[ 52 ],andpublishesthemtotheBBalongwiththezero-knowledgeproofs. 98

PAGE 99

Tallying.Therstcomponentoftheballots-i.e.,thepre-listedcandidatepart-istalliedbyaddingtheciphertexts,whichwillbedecryptedafterwardsbytheauthoritiesusingtheirsecretkeyshares.Thewrite-inpartswillbeopened(The\shrink-and-mix"methoddevisedin[ 52 ]canbeapplied1rsttoimproveeciency,butitwillbeignoredhere)anddecryptedusingaspecialmix-net. 5.3.4VectorBallots Theinitialballotswillcontainboththepre-listedcandidateportionandwrite-inportion.Theywillconsistof3separateparts: Pre-ListedCandidateportion.Thispartwillconsistofanencryptionofeither0,orofoneofthechoicesf1,M,M2,...,Mng,whereMisanumberlargerthanthenumberofpotentialvoters.(See[ 52 ]foramoreecientmethod.) Flag.Thiswillbeanencryptionof0ifapre-determinedcandidateischosen,1ifawrite-incandidateischosen. Write-Inportion.Thiswillbeasecretpermutationofthechosenwrite-incandidate,oranencryptionof0ifapre-listedcandidateischosen.Ratherthan0,alongerstringintheformof0lmightneedtobeusedtohavethetwotypesofencryptionhavethesamelengthandbeindistinguishable. Notethattheuseof0ltohidethelengthoftheencryptionseemstopreventtheshrink-and-mixmethodtowork.However,thereisawayaroundthisproblem.Ifweuseaxednon-zeronumber,S,wecanjustcomparethesumofthewrite-inportionforeachbatchtobS,ratherthan0,toseeifanyofthewrite-inpartsareactuallyused. Apartfromthewrite-incandidate'sname(ifany),allencryptionswillbedoneusingtheAuthorities'publickey.Foreachpostedballot,theVDwillpublishazero-knowledgeproof,showingthatatleastoneofthefollowingistrue: 1Thefactthatthewrite-inballotsarenotencryptedwiththeauthorities'publickeywhentheyareuseddoesnotpreventthemethodtowork,asthesearenotopenedintheoriginalsystemeither.Theonlyrequirementsforthismethodarethattheagsencrypt0'sand1'saccordingtowhichpartoftheballotisusedandthatthewrite-inpartsencrypt0withtheauthorities'keywhenitisnotused.Bothoftheserequirementsaresatisedinourprotocolaswell. 99

PAGE 100

Therstpartisanencryptionof0andthesecondpartisanencryptionof1 Therstpartisanencryptionofanelementfromthegivensetofchoices,theothertwopartsareanencryptionof0 Onepointthatneedstobeemphasizedisthefactthatthewrite-incandidate(ifchosen)isnotreallyencryptedwiththepublickeyoftheAuthorities.Butasonecanseefromtheabovelist,theonlycasewherethatpartisrelevantiswhenitissupposedtobeanencryptionof0,sothisdoesnotpresentitselfasaproblem.Sothezero-knowledgeproofisexactlythesameasproposedbyKiayiasandYung,hencedetailscanbefoundin[ 52 ]. 5.3.5Pre-ListedCandidates Oncetheelectionisnishedandthezero-knowledgeproofsareveried,thetallyingphasestarts.Sinceatthispointithasbeenveriedthatatmostonepartoftheballotisused,onecansafelyseparatetheballotsintotwoparts: Thepre-listedcandidates,asrepresentedbythesetofchoices Theagandthewrite-inpartportion.Theagmaybenecessaryfortheshrinkphasethatwillgetridofsomeemptywrite-invotes(thosewillhavebeenvotedforapre-determinedcandidateandtheirvotewillbecountedusinghomomorphicencryption). Countingtherstpartwillbestraightforward,thankstothehomomorphismproperty.Eachvotewillbeadded,andtheresultingciphertextwillbedecryptedbytheAuthorities,usingtheirsecretshares.Notethatballotsforwhichwrite-incandidateswerechosen,willnotaectthiscount.Whenthisstepisnished,dependingontheelectionprocedure,theresultscanbeannouncedunocially(ifitcanbededucedthattheremainingwrite-invoteswillnotaecttheresult),ortheresultsfromthewrite-inpartswillbewaitedfor. 5.4Write-inBallotDetails Wealreadyexplainedthewaythewrite-inballotisconstructedasitwouldappearintheperspectiveofthevoter.Tounderstandtheunderlyingideaofthisconstruction,andrealizehowitwouldfacilitatevotingforawrite-incandidatesecurelyandprivately,considerChaum'sconstructionoftheonions.Theuseofgermsworkedasasimple 100

PAGE 101

permutation(actuallyjustanoset,butinprinciplecanbeconsideredapermutation,andinourcasetheanalogousconstructionwillbeapermutation),andastheballotistransferredfromtellertoteller,thispermutationwascombinedwithotherpermutations,attheendgettingthenalpermutation,whichisusedtoconstructtheactualvoteusingtheindex.Notethattechnically,eachtellercouldhaveshiftedtheindex,ratherthantransformingthepermutation(Obviouslytheshiftwouldhavebeentheinverseofthepermutation).Thisobservationwillbethekeyideainourconstruction. 5.4.1BallotConstruction EachtellerTjgenerates2lrandomnumbersrifromaeldofsize2h,forwhich2h>s!holds,wheresisthealphabetsize.Soforanalphabetofsize30,h=72shouldbesucient.Eachofthesenumberswillmaptoaspecicpermutationoflettersbyapre-determinedalgorithm.Notethatthissizecanbereducedbyhavingapartialsetofpermutationstochosefrom.Thecompositionofthesepermutationswillformtheactualpermutationusedintheballot.(UnlikeinChaum'sprotocol,theuseofhashvaluesratherthanriisnotreallynecessary,astheguessingattackswouldnotbefeasiblehere.)ThewaytheonionandthenalpermutationwillbeconstructedbythesameformulagivenbyChaum: Di+1:=fri,DigPKTiOnion:=D2k Ineectthiswillbedoneforeachofthelletters,andeachD0willbearandomnumber.Tomakethisideaworkinourscheme,wealsoneedtoaddacontrolstring(eitheraspecicpredeterminedstringorachecksumwouldwork)ofsomepre-determinedlengthc.Thereasonforthisisthefactthatthemixwillstartnotonlywiththeactualwrite-invotes,butalsowiththe0encryptionsfromvoterswhovotedforapre-determined 101

PAGE 102

candidate.Aseachgermisopenedbythetellers,ifthiscontrolstringdoesnotmatch,thepair(i.eonionandciphertext,whichareactuallyinonestring)isdiscarded.Iftherearektellerseachperforming2mixes,theprobabilitythatanencryptionof0willnotbediscardedis2)]TJ /F4 7.97 Tf 6.58 0 Td[(dk.Soincreasingdsucientlywillreducethistoalmostzero.Notethatevenifsuchastringisnotdiscarded,itwilljustbearandomstringafterdecryption,notinterferingwiththeelectionresults.Notealsothatthelastteller(ortherstonewhendecrypting)shouldnothavethischeck,asthatwillmakethetellerabletoconcludethatavotewasnotforawrite-inwith1)]TJ /F1 11.955 Tf 11.95 0 Td[(2)]TJ /F4 7.97 Tf 6.58 0 Td[(dprobability. 5.4.2OpeningBallots Toextractthewrite-invote,foreachballot,eachTellerwillperformthefollowingactionsforeachletter: OpenD2i+2,togetr2i+1.Iftheredundantstringdoesnotcheck,discardthepair,otherwiseapplytheinversetransformationspeciedr2i+1toC2i+2,whichistheciphertext,C2kbeingthetextenteredbythevoter.Mixtheballots.SubmittheresultingballotstotheBB. Repeatthesameprocessoncemore.TheresultingballotswillbethestartingpointofthenextTeller. 5.4.3Auditing SinceeachTellerperformedtwomixes,foreachballotinthemiddlecolumn,eithertheincomingortheoutgoinglinkwillbechosen,whichtheTellerwillverifybyrevealingthelinkandtherelevantrandomnumber.AsinChaum'sprotocol[ 71 ],theuseoftwomixesinsuresanonymity. 5.4.4ProofsofKnowledge Severaltypesofzero-knowledgeproofsareprovidedin[ 25 ].Howtogetazero-knowledgeproofforthevector-ballotisexplainedin 2.7 .Theauditingphaserequiresthetellerstoprovecorrectshuinganddecryption,whichwasdemonstratedin[ 71 ].Theideaisforthetellertorevealthegermvalueandshowthatitsatisesthenecessary 102

PAGE 103

constraints.Thesamemethodwillbeusedinourprotocol.Foralldroppedpairs,germswhichdonotsatisfytheredundantstringchecksarerevealedanddemonstrated. 5.4.4.1Proofofknowledgeforthemixingphase Recallthatateachstepofthemix,theauditorselectsanRorLforeach(r,D)pair.FortheRthemixerwillneedtodemonstratethegivaluethatwasused.TheauditorthenchecksifDi=fgi)]TJ /F4 7.97 Tf 6.59 0 Td[(1,Di)]TJ /F4 7.97 Tf 6.58 0 Td[(1gPKTi)]TJ /F10 5.978 Tf 5.75 0 Td[(1.Forthemixertocheatwithoutriskingbeingcaught,hewillneedtondag0i)]TJ /F4 7.97 Tf 6.59 0 Td[(1suchthatDi=fg0i)]TJ /F4 7.97 Tf 6.58 0 Td[(1,Di)]TJ /F4 7.97 Tf 6.59 0 Td[(1gPKTi)]TJ /F10 5.978 Tf 5.76 0 Td[(1holdsaswell.Thatinturnrequiresthemixertoaccomplishgeneratingtwonumbersgi)]TJ /F4 7.97 Tf 6.58 0 Td[(1andg0i)]TJ /F4 7.97 Tf 6.58 0 Td[(1,suchthattheirconcatenationtoarandomstringresultsinthesameciphertext.Firstofall,thereisevennoguaranteethatthereexistssuchtwonumbersforagivenstring.Also,evenwiththeprivatekeythiswouldnotbesolvable.Furthermore,withoutthepublickey,thiswouldrequirethemixertosolvethefollowingproblem: ForagivenS,ndapair(m,m0)andapair(r,r0),suchthatgm+Srn=gm0+Sr0n(modn2) SincethegStermcanbecanceledout,thiswouldrequirethemixertondtwopairssuchthatgm)]TJ /F4 7.97 Tf 6.58 0 Td[(m0=(r0 r)n(modn2) Notethatthisequationcanbesolvedonlybyeitherndingthenthrootofagivennumber,orbyndingthediscretelogofagivennumber.Sothemixerwillneedtobeabletodooneoftheseoperations,bothofwhichareassumedtobeinfeasible. 103

PAGE 104

5.4.4.2Probabilityofacheatingmixerbeingcaught Tocheatbycorruptingoneofthetballots2,themixerneedstoguesswhichofthetwomixeshewillbeaskedtopublish,whichgivesa1 2probabilityofbeingcaught.Tocheatbycorruptingcvotes,themixerwillneedtomakeacorrectguessforallc,whichgivesa1 2cprobability.Soforc=10,theprobabilityofcorruptingcvotesdropsbelow1in1000. 5.5SampleProtocol Inthissectionweimprovetheprotocolproposedinthepreviouschapterbyincludingthewrite-inballotconstructionexplainedintheprevioussection.Asthewrite-inprotocolenhancementisagenericone,thiswillalsodemonstratehowitcanbeembeddedintoahomomorphicencryption-basedsystem.Theparticipantsandregistrationphasesarethesameasbefore,sowewilldetailthevotingandtallyingphases. 5.5.1Voting 1. VDdisplaysandmatrix,wheredisasecurityparameter(wherealargedincreasessecuritybutmightlowerusability),andnisthenumberofcandidatesplusageneric`write-in',andapossibleabstain.Eachrowinthismatrixconsistofthesecandidatesinarandomorder.Beforesubmittingthevote,ifthevoterrequests,VDgeneratesanothergridwiththesameproperties. 2. VDnowgeneratesrandomnumbersrndandprintscommitmentsc(x,y)foreachcellinthematrix,toensurethattheVDcannotchangethecontentofacellinthecandidatematrix.miwillbe0forthewrite-incandidate,sothatc(x,y)willbejustthenthpowerofarandomnumber,rnx,y(modn2).ThesecommitmentsarealsosenttoBB,wheretheywillbepubliclyveriable. 3. Atthisstage,thevoterdecidesonhiscandidate,andatthatpointtherearetwocases: (a) Ifthevoterdecidestovoteforapredeterminedcandidate,Vrstrandomlyselectsarow,andthensubmitshischosenrowandcolumn(andthereby 2Notethatthemixerdoesnotknowhowtoopentheremaininggerms,sohecannotchangethevotetosomespeciccandidate,unlessheisthelastmixerinthedecryptionprocess. 104

PAGE 105

candidate).VDprintsthepaperballot,andaddsarandomizedre-encryptionofthesamevotebymultiplyingc(x,y)withanewrandomnumberr0x,y.Thisre-encryptionwillbeusedforauditingpurposes.VDthenwaitsforaconrmation.Vinspectsthepaperballot,andiftheballotshowshischosencandidateconrmstheballots.AftertheconrmationfromV,VDdepositsthepaperballotintotheballotbox. (b) Ifthevoterdecidedtovoteforawrite-incandidate,hellsoutawrite-inballot,removesthetoppartanddiscardsit,thensubmitsthelowerpartwiththeencryptednameandoniontotheVD.InthatcasetheencryptednamewillbesubmittedtotheBBasgiven,otherwiseitwillbeanencryption(withthepublickeyoftheAuthorities)of0. 4. VDthenopensthecommitmentsforunchosenrowsbyprintingtherandomorderofthecandidatesalongwiththerandomnumbersusedforthecommitment(andencryption)onthepaperreceipt.Italsoprintsthelocationoftheselectedcell(therowandcolumnnumbers),butnotthenameofthecandidateinthatcell.VDnallyaddsasignatureofthecontentofthereceiptattheendofthereceipt,toinsuretheauthenticityofthereceipt.ThesamedataisalsosenttoBB. 5. Finally,VDsendstheencryptedvotec(x,y)forthechosencell(x,y)totheBBfortallyingpurposes.c(x,y)canbecomparedtothereceiptontheBB,socheatingatthisstepisnotpossible. 6. Attheendofthevotingsession,VDsendsthelistofthere-encryptedvotestotheBB.Italsoaddsazero-knowledgeproofthatshowsthesumofthesevotesandthesumoftheprimaryvotesareequal,i.e.,theproductofbothsetsofencryptionsareequal.ThedetailsforthisisgiveninSection 4.5.1.5 5.5.2Tallying Thisstagehastwoseparatecomponents.Therstoneisthetallyingofpredeterminedcandidates,whichwillworkjustasexplainedinSection 4.5.1.6 .Thesecondcomponentontheotherhandisforthewrite-inballots.ThispartwillbehandledasdetailedinSection 5.4.2 .Inshort,thetwoparticularwaysofvotingarealreadyseparatedattheendofthevotingphase,andduringthetallyingphasethesetwoarenotaectedbyeachother{otherthanaddingupthenaltalliesattheveryend. 105

PAGE 106

5.6ProtocolAnalysis 5.6.1Receipt-Freeness Thepre-listedcandidateswillbelistedinarandomorder,andtheselectedrowwillnotbeopenedatall,sotherewillbenowayfortheVotertoprovehisvote.Forthewrite-inpart,ifaCoercercangetavalidandauthenticballotbeforetheelection,hecanforcethevotertouseitandensurethatthewrite-inselectionwillbehischoice(thesamevulnerabilityalsoseemstoexistinPret-a-Voter).Thepreventionliesinnotmakingtheballotformsavailablebeforethevoting-booth,exceptforauditors.Anotherpotentialsecurityriskisthedestructionoftheupperpartoftheballot,asthisincombinationwiththereceiptcanbeusedasaproofforthenameofthewrite-inselection.Thereisanotherratherseriouspotentialsecurityrisk,whichisalwayspresentinanyprotocolsupportingwrite-invotes,whetherbasedonelectronicorpaperballots.Atypeofforcedabstentionattackcanbeusedasfollows.Thecoercercanaskthevotertovoteforawrite-incandidatewithaarbitrarilychosenstringlike`aaabbbccc',therebyinsuringthatthevotewillineectbeequivalenttoanabstain.Onedefenseagainstsuchanattackistosetaminimumforthenumberofvotesneededforawrite-incandidatetobeincludedintheocialannouncementoftheresults.Forexample,onecansetthisminimumtove,andwhenthetallyiscalculatedandcontainsonevotefor`aaabbbccc',itwillnotbemadepublic.Thismethodwillgreatlyreducethepossibilityofusingthisattack. 5.6.2Votecastasintended Forthepre-determinedlistofcandidates,thevoterisconvincedwithd)]TJ /F4 7.97 Tf 6.58 0 Td[(1 dprobabilitythatthevoteiscastasintended.Butwith1 dprobabilitythevotingdevicecanchangethevotetoanothercandidate.Stillwithasucientlylarged,cheatingseveraltimeswithoutgettingcaughtishighlyunlikely.Ofcoursehavingafairrecoverystrategyisstillofgreatimportance.Sincetheencryptionforthewrite-inpartisveried,theonlypossibilityforchangingthevoteremainsintrickingthevotertousenon-authenticballots.Chaumhassomedefenseslistedagainstthisattackin[ 71 ],whichwouldworkinourprotocolaswell. 106

PAGE 107

Thepaperballotsontheotherhandwillhavebeenreviewedbythevoter,sohewillbeconvinceditiscorrect.Satisfyingcorrectnessthiswayinturnwillimplyconsistency. 5.6.3Authority-VotingDeviceCollusion Thisisthemostseriousproblemwithourprotocol,asusuallythesystemsrepresentingtheauthorityandthevotingdevicewillbedesignedbythesameentity.Howeverthesameappliesforalmostalle-votingsystemsinusetoday,andourproposalhasatleastsomecountersagainstit-forexamplethefactthatthevotingdeviceneverlearnsthewrite-invote.Also,lessthankoftheauthoritiescolludingwillnotbesucient,astheirpartofthekeyalonewillnotbeusefulforanypurpose.Morethankauthoritiescolludingwillbeaveryseriousissue,especiallywithVDcollusions,howeverwehavetoassumethatthelikelihoodofhavingkmaliciousauthorities,thatwereselectedbecausetheyaretrustedentitiesorgovernment/localocials,isalmostnon-existent. 5.6.4Coercer-VotingDeviceCollusion OnoftheweaknessesofelectronicvotingprotocolsisthedicultyofdefendingagainstthecollusionofaCoercerandtheVotingDevice.Althoughtheprotocolswementionedpreventthechangingofvotes,mostofthemhaveonlylimiteddefensestoprotectvoteranonymity.SincePret-a-Voterdoesnotletthevotingdeviceknowtheselectedcandidate,thisisnotaproblem,buttheotherschemesdonothavesucientprotection.IftheVotingDevicecaneitherduringtheelectionorafterwardssubmittherecordstotheCoercer,privacycaneasilybeinvaded.Evenphysicalsecurityagainstthismightnotbesucient,assubliminalrandomchannelsmightconveythenecessaryinformationrathereasily[ 81 ].Unfortunatelylikeallproposedprotocolstodateourprotocoldoesnothaveanyadditionaldefensetothisattackeither. 5.6.5DenialofServiceAttacks DenialofServiceattacksarealsoapossibilityinmostelectronicvotingsystems.Preventingtheseseemstobesolvedbyearlydetectionandrecovery,whichmakesitfragile 107

PAGE 108

andnecessaryforverythoroughrecoveryprocedureplanning.Again,oursystemdoesnothaveanyadditionaldefensesagainstthesetypesofattacks. 5.6.6Electionprocedurestoimprovesecurity Oneproblemthatneedstobeaddressedinourprotocolistheissueofwrite-inballotdistribution.Ifthesearedistributedfreelyandearlysothatvariousauditsandcheckscanbemade,itwillincreasethepossibilityofcoercion.Butwithoutanyauditsthecorrectnessofthesewillbeanevenmorepressingproblem.Sotheprocedurestobefollowedforthispurposemustbecarefullyexaminedandweighedagainstthesepotentialproblems. 5.7Conclusion Wehavepresentedahomomorphicencryptionbasedvotingprotocolthatsupportswrite-inballotsandvoter-verication.Votervericationhasbeenlatelyconsideredoneofthekeyrequirementsforavotingprotocoltobeusedinimportantelections,whilesupportingwrite-inballotsisstilloneofthefocalpointsforresearchers.TheprotocolisdesignedtobeusedwithDREsystemsinsidevotingbooths.Itiscoercion-freeiftheusualassumptionsaresatised.Alongwithsimplifyingtheseassumptions,somefurtherresearchdirectionrelatedtothisprotocolwecurrentlypursueare:thesimplifyingoftheoverallsystem{boththeunderlyingprotocolanditseaseofusetothevoter,improvingitseciencyandaddressingtheaforementionedDoSandcollisionattacks. Wedonotdenythedicultyofdeployingthisprotocolinpractice,especiallybecausellingthewrite-inballotwouldseemtoberathercomplicatedatrstsight,whichmaycausevoterstoavoidusingit.However,wealsobelievethatitispossiblefortheproposedprotocoltobemademuchmorepracticalwithsomesimpledesignmodications.Forexampleoneideathatwouldmakellingthewrite-inballotsmuchmoresimpliedistousepreparedmasks(templates)fordesiredcandidates.Thesecanbedistributedbycandidates,orsimpleprogramsthatwouldpreparemasksforrequestednamescanbe 108

PAGE 109

madeavailable.Ofcoursethesecurityimplicationsofanysuchuseofpreparedmaskswillneedtobecarefullyexamined. 109

PAGE 110

CHAPTER6CONCLUSION Cryptographicprotocolsareatthecenterofmostinformationsecurityrelatedproblemsarisinginourage.Theirapplicationshaveawidespectrum,buttheymostlyusesimilartechniques.Thekeytodesigningagoodcryptographicprotocolistoseparatetherequirementsthatwillbehandledintheimplementationwiththerequirementsthatwillbehandledinthedesignandtoanalyzethesecurityoftheprotocolcarefully,especiallyconsideringthatcombiningtwosecureprimitivescanveryoftenleadtosecurityissues. 6.1RevocableAnonymity Inthisdissertationwestudiedtwoareas.Intherstarea,namelyrevocableanonymity,theproblemwasthelackofsupportforbothpseudonymandrevocationsupport.Asasolution,weproposedaprotocolwhichsimulatesananonymousmessageboardsupportingpseudonyms,whichareusefultobuildreputationinananonymoussetting.Thismessageboardalsosupportsrevocation,topreventmisusebymalicioususers,butitalsopreventsadictatorialadministrationbydistributingthepowertoseveraladministratorsandgivingapredeterminedmajoritytheabilitytorevoketheusersidentity.Furthermore,itfacilitatestheuseofthissysteminapplicationswhereanonymityisrequiredonlyforalimitedperiod,butwheretheidentitiesoftheuserswillneedberevealedafterwards. Thissolutionwasdevelopedusingamodiedfairblindsignatureprotocol,whichmadeitpossibletoregisterpseudonym/keypairswithoutrevealingtheusersidentity.Ourprotocolistherstprotocolsupportingbothpseudonymityandrevocationatthesametime.Thereareseveralpracticalapplicationsforsuchaprotocol,includingwikis,collaborationsystems,peerreviewandmultiplayergames.Havingsuchawiderangeofusefulapplications,webelievethatthisconstitutesanimportantcontributiontotheeld. 110

PAGE 111

6.2HybridMercuri-HomeomorphicEncryptionProtocolWithAuditSupport Onthesecondareawestudied,ourproblemwastoreconcilethedierencebetweentheresearchersandvotingsystemdistributorcompanies.Specically,weaimedatcombiningtheMercurimethodwithacryptographicallysoundelectronicvotingprotocol.Afterdoingthis,anotherimportantproblemwastoutilizethepaperballotstoincreasethesecurityoftheelectronicvotes,withoutneedingafullrecount. Concerningthisproblem,werstgavesomesuggestionsonhowtheMercurimethodcanbeusedinahomomorphicencryptionbasedvotingprotocolandlistedsomeadditionalbenetsthatmightarise.Afterxingseveralcommonproblemsrelatedtotheforcedabstentionattacksthatcanbefoundinsimilarprotocols,wealsoincludedabasicframeworkonhowthesecurityofvotingsystemscanbeevaluated.Moreimportantly,wegaveadescriptionofagenericauditmechanism,thatcanalsobeusedinsimilarvotingprotocols.Thismechanismmakesitpossibletoaudittheelectronicvotesusingthepaperballots,withoutendangeringtheprivacyofthevoters.ThisnovelideagivesanaddedbenettoadoptingtheMercurimethod,whichisalreadyinpopularuse.Toachievethisresult,weusedre-encryptionsoftheencryptedvotes,andproposedamethodthatwillpreventthevotingdevicefromcheating,whilestillensuringtheprivacyofthevoters. 6.3Write-inBallotSupport Thelastproblemweconsiderwassupportingwrite-inballotsaspartofanelectronicvotingsystem,inapracticalmanner.Tothisend,weproposedagenericprotocolforsupportingwrite-incandidatesthatcanbeusedwithmosthomomorphicencryptionbasedvotingsystemsandthatsupportsindividualreceipts,andisreceipt-free.Previouslynoprotocolcouldsupportbothoftheserequirementswithoutneedingcomputationalpowerfromthevoterhimself,whichisnotapracticalassumptionforelectionsthatrequirevotingtobecarriedoutinvotingbooths.Assuch,itllsanimportantgapintheelectronicvotingarea.Thewaythiswasaccomplishedwasbyhavingasecretpermutation 111

PAGE 112

foreachletteranddesigningasimplewayforthevotertocarryouttheencryptionwithoutanycomputationalaidsusingthispermutation.Thesecretpermutationisencodedinanencryptedstring,andamix-netisusedtodecryptthisstringandasaresultrecoverthepermutationandhencethenameofthecandidatevotedfor. Manypeoplestillretaindoubtsabouthavinganelectronicelectionsystem,whereseeminglyanynumberofvotescanbechangedwiththepushofabutton.Thisgloomyviewisperhapstoopessimistic,butitalsoposesavalidconcern.However,wehaveallthetoolsnecessaryforawell-functioningandsecureelectronicvotingsystem.Ourgoalshouldbetofocusontheweaknessesofcurrenttechnologies,anddesignprotocolsthatnotonlyreplicatethesecurityandvariousadvantages/characteristics,butactuallyimproveonthembysupplyingmoresecurityandmanyotherenhancements.Voterveriablereceipts,veryfasttallying,andeaseofusearesomeoftheseenhancements,butwealsoshouldnotforgetaboutotherissueslikesupportingwrite-inballotsandmoreimportantlyvoters'perceptionofsecurity.Thisperceivedsecurityisperhapsthemostimportantobstacleforelectronicvotingtechnologiesandtheonlywaytoovercomethisobstacleisbydesigningbetterandmoresecureprotocolswhilealsoeducatingthepublicontheaccomplishments. 112

PAGE 113

REFERENCES [1] BruceSchneier,AppliedCryptography:Protocols,Algorithms,andSourceCodeinC,JohnWiley&Sons,secondedition,October1995. [2] RebeccaMercuri,\ABetterBallotBox?,"IEEESpectrumOnline,October2,2002. [3] AlfredJ.Menezes,PaulC.vanOorschot,andScottA.Vanstone,HandbookofAppliedCryptography,CRC,BocaRaton,FL,October1996. [4] VincentRijmenandElisabethOswald,\UpdateonSHA-1,"CryptologyePrintArchive,Report2005/010,2005,RetrievedOct1,2009,from http://eprint.iacr.org/ [5] MartinCochran,\NotesontheWangetal.263SHA-1DierentialPath,"CryptologyePrintArchive,Report2007/474,2007,RetrievedOct1,2009,from http://eprint.iacr.org/ [6] A.K.LenstraandB.M.M.deWeger,\Onthepossibilityofconstructingmeaningfulhashcollisionsforpublickeys,"inInformationSecurityandPrivacy,10thAus-tralasianConference,ACISP2005,vol.3574ofLectureNotesinComputerScience,pp.267{279.Springer,Berlin,July2005. [7] ChristopheDeCanniereandChristianRechberger,\FindingSHA-1Characteristics:GeneralResultsandApplications,"inAdvancesinCryptology{ASIACRYPT2006,vol.4284/2006ofLectureNotesinComputerScience,pp.1{20.SpringerBerlin/Heidelberg,2006. [8] MarcStevens,AlexanderSotirov,JacobAppelbaum,ArjenLenstra,DavidMolnar,DagArneOsvik,andBennedeWeger,\ShortChosen-PrexCollisionsforMD5andtheCreationofaRogueCACerticate,"CryptologyePrintArchive,Report2009/111,2009,RetrievedOct1,2009,from http://eprint.iacr.org/ [9] J.BlackandT.HighlandM.Cochran,\AStudyoftheMD5Attacks:InsightsandImprovements,"inFastSoftwareEncryption.2006,vol.4047/2006ofLectureNotesinComputerScience,pp.262{277,SpringerBerlin/Heidelberg. [10] NationalInstituteofStandardsandTechnology,\SecureHashStandard,"FederalInformationProcessingStandardsPublication180-2,2002. [11] MihirBellare,RanCanetti,andHugoKrawczyk,\KeyingHashFunctionsforMessageAuthentication,"inCRYPTO'96:Proceedingsofthe16thAnnualInternationalCryptologyConferenceonAdvancesinCryptology,London,UK,1996,LectureNotesInComputerScience,pp.1{15,Springer-Verlag. [12] AmericanNationalStandardsInstitute,\ANSIX3.92-1981,"AmericanNationalStandard,DataEncryptionAlgorithm,1981. 113

PAGE 114

[13] AmericanNationalStandardsInstitute,\ANSIX9.52:1998,"TripleDataEncryptionAlgorithmModesofOperation,1998. [14] M.Matsui,\LinearCryptanalysisMethodforDESCipher,"inProceedingsofEUROCRYPT'93,Lofthus(Norway).May23{271993,vol.765ofLectureNotesinComputerScience,pp.386{397,Springer-Verlag. [15] EliBihamandAdiShamir,\DierentialCryptanalysisofDES-likeCryptosystems,"inAdvancesinCryptology{CRYPTO'90,pp.2{21.Springer-Verlag,1991. [16] JoanDaemenandVincentRijmen,TheDesignofRijndael:AES-TheAdvancedEncryptionStandard,Springer-VerlagNewYork,Inc.,rstedition,2002. [17] R.L.Rivest,A.Shamir,andL.Adleman,\Amethodforobtainingdigitalsignaturesandpublic-keycryptosystems,"CommunicationsoftheACM,vol.21,no.2,pp.120{126,1978. [18] PascalPaillier,\Public-KeyCryptosystemsBasedonCompositeDegreeResiduosityClasses,"inAdvancesinCryptologyEUROCRYPT99,vol.1592ofLectureNotesinComputerScience,pp.223{238.SpringerBerlin/Heidelberg,1999. [19] W.TimothyPolk,DonnaF.Dodson,andWilliamE.Burr,\CryptographicAlgorithmsandKeySizesforPersonalIdentityVerication,"NISTSpecialPublication800-78-1. [20] DanBonehandMatthewFranklin,\EcientgenerationofsharedRSAkeys,"inAdvancesinCryptology{CRYPTO97.1997,pp.425{439,Springer-Verlag. [21] DanBoneh,\TwentyyearsofattacksontheRSAcryptosystem,"NoticesoftheAMS,vol.46,pp.203{213,1999. [22] DanielBleichenbacher,ErMay,andTuDarmstadt,\NewAttacksonRSAwithSmallSecretCRT-Exponents,"inPublicKeyCryptography-PKC2006,vol.3958/2006ofLectureNotesinComputerScience,pp.1{13.SpringerBerlin/Heidelberg,2006. [23] Jean-SebastienCoronandAlexanderMay,\DeterministicPolynomial-TimeEquivalenceofComputingtheRSASecretKeyandFactoring,"vol.20,pp.39{50.Springer-VerlagNewYork,Inc.,Secaucus,NJ,USA,2007. [24] DanBonehandGlennDurfee,\CryptanalysisofRSAwithPrivateKeydLessThanN0.292,"IEEETransactionsonInformationTheory,vol.46,pp.1339{1349,2000. [25] OlivierBaudron,Pierre-AlainFouque,DavidPointcheval,JacquesStern,andGuillaumePoupard,\Practicalmulti-candidateelectionsystem,"inProceedingsofthetwentiethannualACMsymposiumonPrinciplesofdistributedcomputing,NewYork,NY,USA,2001,pp.274{283,ACM. 114

PAGE 115

[26] IvanDamgardandMadsJurik,\Ageneralisation,asimplicationandsomeapplicationsofpaillier'sprobabilisticpublic-keysystem,"inInproceedingsofPKC01,LNCSseries.2001,pp.119{136,Springer-Verlag. [27] AlexandreRuizandJorgeL.Villar,\Publiclyveriablesecretsharingfrompaillierscryptosystem,"WesternEuropeanWorkshoponResearchonCryptography,July2005. [28] Pierre-AlainFouque,GuillaumePoupard,andJacquesStern,\SharingDecryptionintheContextofVotingandLotteries,"inProceedingsofthe4thInternationalConferenceonFinancialCryptography,vol.1962ofLectureNotesInComputerScience,pp.90{104.Springer-Verlag,London,UK,2000. [29] VictorSMiller,\Useofellipticcurvesincryptography,"inAdvancesincryptology|CRYPTO85,vol.218ofLectureNotesinComputerScience. [30] JulioLopez,RicardoDahab,andRicardoDahab,\AnOverviewofEllipticCurveCryptography,"Tech.Rep.,InstituteofComputing,StateUniversityofCampinas,2000. [31] DavidChaum,\Blindsignaturesforuntraceablepayments,"inAdvancesinCryptologyProceedingsofCrypto82,D.Chaum,R.L.Rivest,andA.T.Sherman,Eds.1998,pp.199{203,Springer-Verlag. [32] Cheng-ChiLee,Wei-PangYang,andMin-ShiangHwang,\Untraceableblindsignatureschemesbasedondiscretelogarithmproblem,"FundamentaInformaticae,vol.55,no.3-4,pp.307{320,2002. [33] C.-I.FanandC.-L.Lei,\Ecientblindsignatureschemebasedonquadraticresidues,"ElectronicsLetters,vol.32,no.9,pp.811{813,1996. [34] DavidPointchevalandJacquesStern,\ProvablySecureBlindSignatureSchemes,"inAdvancesinCryptologyASIACRYPT'96.1996,vol.4484ofLectureNotesinComputerScience,pp.252{265,SpringerBerlin/Heidelberg. [35] ShaGoldwasser,SilvioMicali,andRonaldL.Rivest,\ADigitalSignatureSchemeSecureAgainstAdaptiveChosen-MessageAttacks,"SIAMJournalonComputing,vol.17,pp.281{308,1988. [36] DavidPointchevalandJacquesStern,\SecurityProofsforSignatureSchemes,"inAdvancesinCryptologyEUROCRYPT96.1996,vol.1070/1996ofLectureNotesinComputerScience,pp.387{398,SpringerBerlin/Heidelberg. [37] DavidChaum,\UntraceableElectronicMail,ReturnAddresses,andDigitalPseudonyms,"CommunicationsoftheACM,vol.24,no.2,pp.84{88,February1981. 115

PAGE 116

[38] DouglasWikstrom,\AnEcientMix-net,"2002,SICSTechnicalReportT2002:21.SwedishInstituteofComputerScienceISSN1100-3154. [39] DanBonehandPhilippeGolle,\Almostentirelycorrectmixingwithapplicationstovoting,"inCCS'02:Proceedingsofthe9thACMconferenceonComputerandcommunicationssecurity,NewYork,NY,USA,2002,pp.68{77,ACM. [40] JunFurukawaandKazueSako,\AnEcientSchemeforProvingaShue,"inCRYPTO'01:Proceedingsofthe21stAnnualInternationalCryptologyConferenceonAdvancesinCryptology,London,UK,2001,vol.2139ofLectureNotesInComputerScience,pp.368{387,Springer-Verlag. [41] DouglasWikstrom,\AUniversallyComposableMix-Net,"inTheoryofCryptogra-phy,vol.2951ofLectureNotesinComputerScience,pp.317{335.SpringerBerlin/Heidelberg,2004. [42] ShengZhong,DanBoneh,MarkusJakobsson,andAriJuels,\Optimisticmixingforexit-polls,"inAsiacrypt2002,LNCS2501.2002,pp.451{465,Springer-Verlag. [43] W.-A.Jackson,K.M.Martin,andC.M.O'Keefe,\Ecientsecretsharingwithoutamutuallytrustedauthority,"inAdvancesinCryptology{EUROCRYPT'95,vol.921ofLectureNotesinComputerScience,pp.183{193.Springer-VerlagNewYork,Inc.,1995. [44] IngemarIngemarssonandGustavusJ.Simmons,\Aprotocoltosetupsharedsecretschemeswithouttheassistanceofmutuallytrustedparty,"inEUROCRYPT'90:ProceedingsoftheworkshoponthetheoryandapplicationofcryptographictechniquesonAdvancesincryptology,NewYork,NY,USA,1991,pp.266{282,Springer-VerlagNewYork,Inc. [45] Pierre-AlainFouqueandJacquesStern,\FullyDistributedThresholdRSAunderStandardAssumptions,"inProceedingsofthe7thInternationalConferenceontheTheoryandApplicationofCryptologyandInformationSecurity:AdvancesinCryptology,vol.2248ofLectureNotesinComputerScience,pp.310{330.2001. [46] I.DamgardandM.Koprowski,\PracticalThresholdRSASignaturesWithoutaTrustedDealer,"Tech.Rep.,AarhusUniversity,BRICS,2000. [47] AdiShamir,\Howtoshareasecret,"Commun.ACM,vol.22,no.11,pp.612{613,1979. [48] SGoldwasser,SMicali,andCRacko,\Theknowledgecomplexityofinteractiveproof-systems,"inSTOC'85:ProceedingsoftheseventeenthannualACMsympo-siumonTheoryofcomputing,NewYork,NY,USA,1985,pp.291{304,ACM. 116

PAGE 117

[49] A.FiatandA.Shamir,\Howtoproveyourself:Practicalsolutionstoidenticationandsignatureproblems,"inAdvancesinCryptology|Crypto'86,NewYork,1987,pp.186{194,Springer-Verlag. [50] JoanBoyar,KatalinFriedl,andCarstenLund,\PracticalZero-KnowledgeProofs:GivingHintsandUsingDeciencies,"JournalofCryptology,vol.4,pp.155{172,1994. [51] OdedGoldreichandYairOren,\DenitionsandPropertiesofZero-KnowledgeProofSystems,"JournalofCryptology,vol.7,no.1,pp.1{32,1994. [52] A.KiayiasandM.Yung,\Thevector-ballote-votingapproach,"inFinanicalCryptography,PatrickP.TsangandVictorK.Wei,Eds.,vol.3110/2004ofLectureNotesinComputerScience,pp.72{89.Springer-Verlag,2004. [53] T.KieslerandL.Harn,\Cryptographicmaster-key-generationschemeanditsapplicationtopublickeydistribution,"ComputersandDigitalTechniques,IEEEProceedings-,vol.139,no.3,pp.203{206,May1992. [54] S.G.AklandP.D.Taylor,\Cryptographicsolutiontoaproblemofaccesscontrolinahierarchy,"1983,vol.1,pp.239{248. [55] M.JakobssonandM.Yung,\RevocableandVersatileElectronicMoney,"3rdACMConferenceonComputerandCommunicationsSecurity,pp.76{87,1996. [56] GDavida,YFrankel,YTsiounis,andMYung,\AnonymityControlinE-CashSystems,"inFinancialCryptography:FirstInternationalConference,Anguilla,BritishWestIndies,24{281997,vol.1318,pp.1{16,Springer-Verlag. [57] JanCamenisch,UeliM.Maurer,andMarkusStadler,\DigitalPaymentSystemswithPassiveAnonymity-RevokingTrustees,"inESORICS,1996,pp.33{43. [58] ByeonggonKim,SungjunMin,andKwangjoKim,FairtracingbasedonVSSandblindsignaturewithoutTrustees,vol.3314/2005ofLectureNotesinComputerScience,pp.1061{1066,SpringerBerlin/Heidelberg,2004. [59] XiaofengChen,FangguoZhang,andYuminWang,\ANewApproachtoPreventBlackmailinginE-Cash,"CryptologyePrintArchive,Report2003/055,2003,RetrievedOct1,2009,from http://eprint.iacr.org/ [60] MarkusA.Stadler,Jean-MarcPiveteau,andJanL.Camenisch,\FairBlindSignatures,"inAdvancesinCryptologyEUROCRYPT95,vol.921ofLectureNotesinComputerScience,pp.209{219.SpringerBerlin/Heidelberg,1995. 117

PAGE 118

[61] JorisClaessens,ClaudiaDaz,CarolineGoemans,BartPreneel,JoosVandewalle,andJosDumortier,\RevocableanonymousaccesstotheInternet?,"InternetResearch:ElectronicNetworkingApplicationsandPolicy,vol.13,no.4,pp.242{58,August2003. [62] ClaudiaDiaz,VincentNaessens,SvetlaNikova,BartDeDecker,andBartPreneel,\AnonymityandPrivacyinElectronicServices,IWT.APESdeliverable11.ToolsforTechnologiesandApplicationsofControlledAnonymity,"2004. [63] JorisClaessens,ClaudiaDiaz,SvetlaNikova,VincentNaessens,BartDeWin,CarolineGoemans,StefaanSeys,MiekeLoncke,JosDumortier,BartDeDecker,andBartPreneel,\AnonymityandPrivacyinElectronicServices,IWT.APESdeliverable11.TechnologiesforControlledAnonymity,"Tech.Rep.,KatholiekeUniversiteitLeuven,2003. [64] RolfWendolskyStefanKpsellandHannesFederrath,\RevocableAnonymity,"inEmergingTrendsinInformationandCommunicationSecurity,vol.3995ofLectureNotesinComputerScience.SpringerBerlin/Heidelberg,2006. [65] D.Chaum,\Thediningcryptographersproblem:unconditionalsenderandrecipientuntraceability,"JournalofCryptology,vol.1,no.1,pp.65{75,1988. [66] Z.Zwierko,A.Kotulski,\Anewprotocolforgroupauthenticationprovidingpartialanonymity,"NextGenerationInternetNetworks,pp.356{363,2005. [67] AdamWierzbicki,AnetaZwierko,andZbigniewKotulski,\Anewauthenticationprotocolforrevocableanonymityinad-hocnetworks,"ComputingResearchRepository(CoRR),2005,abs/cs/0510065. [68] AnnaLysyanskaya,RonaldL.Rivest,andAmitSahai,\PseudonymSystems,"inProceedingsofSAC1999,volume1758ofLNCS.1999,pp.184{199,SpringerVerlag. [69] IanAvrumGoldberg,\APseudonymousCommunicationsInfrastructurefortheInternet,"Tech.Rep.,UniversityofCalifornia,2000. [70] IanGoldbergandDavidWagner,\TAZServersandtheRewebberNetwork:EnablingAnonymousPublishingontheWorldWideWeb,"FirstMonday,vol.3,1997. [71] D.Chaum,P.Y.A.Ryan,andS.A.Schneider,\Apractical,Voter-veriableElectionScheme,"Tech.Rep.,UniversityofNewcastleuponTyne,2004. [72] C.AndrewNe,\PracticalHighCertaintyIntentVericationForEncryptedVotes,"Tech.Rep.,VoteHere,2004. 118

PAGE 119

[73] TatsuakiOkamoto,\Receipt-freeelectronicvotingschemesforlargescaleelections,"inSecurityProtocols.1998,vol.1361/1998ofLectureNotesinComputerScience,pp.25{35,SpringerBerlin/Heidelberg. [74] KazuoOhtaAtsushiFujioka,TatsuakiOkamato,\Apracticalsecretvotingschemeforlargescaleelections,"inAdvancesinCryptology.AUSCRYPT'92,1992,pp.244{251. [75] JoshDanielCohenBenaloh,Veriablesecret-ballotelections,Ph.D.thesis,YaleUniversity,NewHaven,CT,USA,1987. [76] RonaldCramer,RosarioGennaro,andBerrySchoenmakers,\ASecureandOptimallyEcientMulti-AuthorityElectionScheme,"inProceedingsofEurocrypt97,vol.1233ofLectureNotesinComputerScience,p.103.1997. [77] MartinHirtandKazueSako,\EcientReceipt-FreeVotingBasedonHomomorphicEncryption,"LectureNotesinComputerScience,vol.1807,pp.539+,2000. [78] AlessandroAcquisti,\Receipt-FreeHomomorphicElectionsandWrite-inBallots,"CryptologyePrintArchive,Report2004/105,2004,RetrievedOct1,2009,from http://eprint.iacr.org/ [79] JoshuaKurlantzick,\2000,thesequel,"AmericanProspect,2004,15(10),22-5. [80] C.AndrewNe,\ElectionCondence,"Tech.Rep.,VoteHere,Inc,2003,Revision6December17,2003. [81] ChrisKarlof,NaveenSastry,andDavidWagner,\Cryptographicvotingprotocols:Asystemsperspective,"inSSYM'05:Proceedingsofthe14thconferenceonUSENIXSecuritySymposium,Berkeley,CA,USA,2005,pp.33{50,USENIXAssociation. [82] PeterY.A.RyanandTheaPeacock,\Pr^etaVoter:ASystemsPerspective,"Tech.Rep.CS-TR-929,SchoolofComputingScience,UniversityofNewcastle,2005. [83] BennianDou,ChunhuaChen,andRobertoAraujo,\AttacksandModicationsofCJCsE-votingScheme,"CryptologyePrintArchive,Report2006/300,2006,RetrievedOct1,2009,from http://eprint.iacr.org/ [84] Wen-ShenqJuangandChin-LaungLei,\ASecureandPracticalElectronicVotingSchemeforRealWorldEnvironments(SpecialSectiononCryptographyandInformationSecurity),"IEICEtransactionsonfundamentalsofelectronics,commu-nicationsandcomputersciences,vol.80,no.1,pp.64{71,1997. [85] L.CranorandR.Cytron,\Sensus:Asecurity-consciouselectronicpollingsystemfortheInternet,"inProceedingsoftheHawaiInternationalConferenceonSystemSciences,1997,Wailea,Hawaii. 119

PAGE 120

[86] Jue-SamChou,YalinChen,andJin-ChengHuang,\ANovelSecureElectronicVotingProtocolBasedOnBilinearPairings,"CryptologyePrintArchive,Report2006/342,2006,RetrievedOct1,2009,from http://eprint.iacr.org/ [87] RonaldCramer,MatthewFranklin,BerrySchoenmakers,andMotiYung,\Multi-authoritySecret-BallotElectionswithLinearWork,"LectureNotesinComputerScience,vol.1070,pp.72{83,1996. [88] ByoungcheonLeeandKwangjoKim,\Receipt-freeelectronicvotingthroughcollaborationofvoterandhonestverier,"inProceedingofJapan{KoreaJointWorkshoponInformationSecurityandCryptology,pp.101{108.2000,Okinawa,Japan. [89] ByoungcheonLee,ColinBoyd,EdDawson,KwangjoKim,JeongmoYang,andSeungjaeYoo,\ProvidingReceipt-freenessinMixnet-basedVotingProtocols,"inInformationSecurityandCryptology-ICISC2003,vol.2971/2004ofLectureNotesinComputerScience,pp.245{258.SpringerBerlin/Heidelberg,2004. [90] JoshBenalohandDwightTuinstra,\UncoercibleCommunication,"Tech.Rep.,ClarksonUniversity,1997,ComputerScienceTechnicalReportTR-MCS-94-1. [91] EmmanouilMagkos,MikeBurmester,andVassiliosChrissikopoulos,\Receipt-FreenessinLarge-ScaleElectionswithoutUntappableChannels,"inI3E'01:ProceedingsoftheIFIPConferenceonTowardsTheE-Society.2001,vol.202,pp.683{694,Kluwer,B.V. [92] ByoungcheonLeeandKwangjoKim,\Receipt-FreeElectronicVotingSchemewithaTamper-ResistantRandomizer,"inInformationSecurityandCryptologyICISC2002.2002,LectureNotesinComputerScience,pp.389{406,SpringerBerlin/Heidelberg. [93] MichaelIanShamos,\Paperv.ElectronicVotingRecordsAnAssessment,"AccompanyingpapertoACMComputers,Freedom&PrivacyConferenceheldinBerkeley,CaliforniainApril2004. [94] R.Crane,A.Keller,A.Dechert,E.Cherlin,andD.Mertz,\ADeeperLook:RebuttingShamosone-Voting,"inUniversityVotingSystemCompetition(Vo-Comp)2007,,2007. [95] ArthurM.KellerandDavidMertz,\Privacyissuesinanelectronicvotingmachine,"inProceedingsoftheACMWorkshoponPrivacyintheElectronicSociety(WPES.2004,pp.33{34,ACMPress. [96] JonathanBannet,DavidW.Price,AlgisRudys,JustinSinger,andDanS.Wallach,\Hack-a-Vote:SecurityIssueswithElectronicVotingSystems,"IEEESecurityandPrivacy,vol.2,no.1,pp.32{37,2004. 120

PAGE 121

[97] Jr.WalterR.Mebane,\WhoWon?StatisticalElectionFraudDetection,"2006USENIX/ACCURATEElectronicVotingTechnologyWorkshop,KeynoteAddress,2006. [98] ElectronicFrontierFoundation,\AccessibilityandAuditabilityinElectronicVoting,"WhitePaper,2004,RetrievedSep.21,2009,from http://www.eff.org/wp/accessibility-and-auditability-electronic-voting [99] NaveenSastry,TadayoshiKohno,andDavidWagner,\Designingvotingmachinesforverication,"inUSENIX-SS'06:Proceedingsofthe15thconferenceonUSENIXSecuritySymposium,Berkeley,CA,USA,2006,USENIXAssociation. [100] Yu-YiChen,Jinn-KeJan,andChin-LingChen,\ThedesignofasecureanonymousInternetvotingsystem,"ComputersandSecurity,23(4),pp.pp.330{337.,2004. [101] IndrajitRay,IndrakshiRay,andNatarajanNarasimhamurthi,\Ananonymouselectronicvotingprotocolforvotingovertheinternet,"inProceedingsoftheThirdInternationalWorkshoponAdvancedIssuesofE-CommerceandWeb-basedInformationSystems,2001,pp.21{22. [102] AndreuRieraandJoanBorrell,\PracticalApproachtoAnonymityinLargeScaleElectronicVotingSchemes,"inNetworkandDistributedSystemSecuritySymposium{NDSS99.1999. [103] DavidChaum,AleksEssex,RichardCarback,JeremyClark,StefanPopoveniuc,AlanSherman,andPoorviVora,\Scantegrity:End-to-endvoter-veriableoptical-scanvoting,"IEEESecurityandPrivacy,vol.6,no.3,May/June2008. [104] D.Chaum,\Electionswithunconditionally-secretballotsanddisruptionequivalenttobreakingrsa,"inLectureNotesinComputerScienceonAdvancesinCryptology-EUROCRYPT'88,NewYork,NY,USA,1988,pp.177{182,Springer-VerlagNewYork,Inc. [105] K.Sako,\Electronicvotingschemeallowingopenobjectiontothetally,"Transac-tionsonFundamentalsofElectronics,CommunicationsandComputerSciences,vol.E77-A,no.1,January1994. [106] WenshenqJuang,ChinlaungLei,andPeilingYu,\Averiablemulti-authoritiessecretelectionallowingabstainingfromvoting,"InternationalComputerSymposium,vol.45,pp.672{682,1998. [107] Wen-ShenqJuangandChin-LaungLei,\Acollision-freesecretballotprotocolforcomputerizedgeneralelections,"ComputersandSecurity,vol.15,no.4,pp.339{348,1996. [108] KwangjoKim,JinhoKim,ByoungcheonLee,andGookwhanAhn,\Experimentaldesignofworldwideinternetvotingsystemusingpki,"2001. 121

PAGE 122

[109] ChoonsikPark,KazutomoItoh,andKaoruKurosawa,\Ecientanonymouschannelandall/nothingelectionscheme,"inEUROCRYPT'93:WorkshoponthetheoryandapplicationofcryptographictechniquesonAdvancesincryptology,Secaucus,NJ,USA,1994,pp.248{259,Springer-VerlagNewYork,Inc. [110] MasayukiAbe,\Universallyveriablemix-netwithvericationworkindependentofthenumberofmix-servers,"inAdvancesinCryptologyEUROCRYPT'98.1998,vol.1403ofLectureNotesinComputerScience,SpringerBerlin/Heidelberg. [111] KazueSakoandJoeKilian,\Receipt-freemix-typevotingscheme,"inAdvancesinCryptologyEUROCRYPT95.1995,vol.921/1995ofLectureNotesinComputerScience,pp.393{403,SpringerBerlin/Heidelberg. [112] MarkusJakobsson,AriJuels,andRonaldL.Rivest,\Makingmixnetsrobustforelectronicvotingbyrandomizedpartialchecking,"inUSENIXSecuritySymposium,2002,pp.339{353. [113] MarkusJakobsson,\APracticalMix,"LectureNotesinComputerScience,vol.1403,pp.448{461,1998. [114] AriJuels,DarioCatalano,andMarkusJakobsson,\Coercion-resistantelectronicelections,"inWPES'05:Proceedingsofthe2005ACMworkshoponPrivacyintheelectronicsociety,NewYork,NY,USA,2005,pp.61{70,ACM. [115] JensGroth,\Averiablesecretshueofhomomorphicencryptions,"inINPROCEEDINGSOFPKC03,LNCSSERIES.2005,pp.145{160,Springer-Verlag. [116] DavidChaum,\Secret-BallotReceipts:TrueVoter-VeriableElections,"IEEESecurityandPrivacy,vol.2,no.1,pp.38{47,2004. [117] JoshD.CohenandMichaelJ.Fischer,\Arobustandveriablecryptographicallysecureelectionscheme,"inSFCS'85:Proceedingsofthe26thAnnualSymposiumonFoundationsofComputerScience,Washington,DC,USA,1985,pp.372{382,IEEEComputerSociety. [118] JoshCBenalohandMotiYung,\Distributingthepowerofagovernmenttoenhancetheprivacyofvoters,"inPODC'86:ProceedingsofthefthannualACMsymposiumonPrinciplesofdistributedcomputing,NewYork,NY,USA,1986,pp.52{62,ACM. [119] KazueSakoandJoeKilian,\Securevotingusingpartiallycompatiblehomomorphisms,"inAdvancesinCryptologyCRYPTO94.1994,vol.839ofLectureNotesinComputerScience,pp.411{424,SpringerBerlin/Heidelberg. [120] I.Damgard,M.Jurik,andJ.Nielsen,\Ageneralizationofpaillier'spublic-keysystemwithapplicationstoelectronicvoting,"2003. 122

PAGE 123

[121] MarkusJakobsson,KazueSako,andRussellImpagliazzo,\DesignatedVerierProofsandTheirApplications,"inAdvancesinCryptologyEUROCRYPT96,vol.1070ofLectureNotesinComputerScience,pp.143{154.SpringerBerlin/Heidelberg,1996. [122] RonaldL.Rivest,\TheThreeBallotVotingSystem,"Tech.Rep.,VotingTechnologyProject,Caltech/MIT,2009. [123] StefanPopoveniucandBenHosp,\AnIntroductiontoPunchscan,"Tech.Rep.,Punchscan,October2006,RetrievedSep.21,2009,from http://www.punchscan.org/papers/popoveniuc_hosp_punchscan_introduction.pdf [124] KevinFisher,RichardCarback,andAlanSherman,\Punchscan:IntroductionandSystemDenitionofaHigh-IntegrityElectionSystem,"inProceedingsoftheIAVoSSWorkshopOnTrustworthyElections(WOTE'06),Cambridge,UK,PeterA.Ryan,Ed.,June2006. [125] BenHosp,\Write-inVotesForPunchscan,"Tech.Rep.,Punchscan,February2007,RetrievedSep.21,2009,from http://punchscan.org/press/punchscanwritein.pdf [126] JoyMarieForsythe,\EncryptedReceiptsforVoter-VeriedElectionsUsingHomomorphicEncryption,"M.S.thesis,M.I.T.,2005. [127] RonaldL.Rivest,\Asimpleruleofthumbforelectionauditsizedetermination,"Unpublisheddraft.Version10/31/2007. [128] JosephLorenzoHall,\ElectionAuditingBibliography,"2009,RetrievedSep.21,2009,from http://josephhall.org/eamath/bib.pdf [129] JohnKelsey,\PreliminaryAnalysisofThreatstoVotingSystems,"Tech.Rep.,NationalInstituteofStandardsandTechnology(NIST),2005. [130] DouglasW.Jones,\Threatstovotingsystems,"ApositionpaperfortheNISTworkshoponThreatstoVotingSystemsOctober7,2005,Gaithersburg,MD. [131] JavedA.Aslam,RalucaA.Popa,andRonaldL.Rivest,\Onestimatingthesizeandcondenceofastatisticalaudit,"inEVT'07:ProceedingsoftheUSENIXWorkshoponAccurateElectronicVotingTechnology,2007. [132] DouglasW.Jones,\ProblemswithVotingSystemsandtheApplicableStandards,"2001,TestimonybeforetheU.S.HouseofRepresentatives'CommitteeonScience. [133] MargaretMcgaleyandJoeMccarthy,\Transparencyande-Voting:Democraticvs.CommercialInterests,"inInternationalWorkshoponElectronicVotinginEurope,2004,pp.153{163. 123

PAGE 124

[134] TadayoshiKohno,AdamStubbleeld,AvielD.Rubin,andDanS.Wallach,\AnalysisofanElectronicVotingSystem,"inIEEESymposiumonSecurityandPrivacy,2004. [135] A.Keller,D.Mertz,J.Hall,andA.Urkin,\Privacyissuesinanelectronicvotingmachine,"inACMWorkshoponPrivacyintheElectronicSociety,pp.33{34.October2004. [136] TillStegersAnanyaDas,YuanNiu,\SecurityAnalysisoftheeVACSOpen-SourceVotingSystem,"Manuscript,2005,RetrievedSep.21,2009,from http://wwwcsif.cs.ucdavis.edu/stegers/eVACS-nal-report.pdf. [137] PhilipE.Varner,\VoteEarly,VoteOften,andVoteHere:ASecurityAnalysisofVoteHere,"M.S.thesis,UniversityofVirginia,2001. [138] BenAdidaandC.AndrewNe,\Ballotcastingassurance,"inEVT'06:ProceedingsoftheUSENIX/AccurateElectronicVotingTechnologyWorkshop2006onElectronicVotingTechnologyWorkshop,2006. [139] BenAdida,AdvancesinCryptographicVotingSystems,Ph.D.thesis,M.I.T,August2006. [140] OrhanCetinkayaandDenizCetinkaya,\Vericationandvalidationissuesinelectronicvoting,"inECEG2007:The7thEuropeanConferenceone-Government,June2007,Volume5Issue2SpecialIssue:ECEG2007DenHaag. [141] A.T.Sherman,A.Gangopadhyay,S.H.Holden,G.Karabatis,A.G.Koru,C.M.Law,D.F.Norris,J.Pinkston,A.Sears,andD.Zhang,\Anexaminationofvotevericationtechnologies:ndingsandexperiencesfromthemarylandstudy,"inProceedingsoftheUSENIX/AccurateElectronicVotingTechnologyWorkshopEVT06,Canada,2006. [142] JohnMcDermottandChrisFox,\UsingAbuseCaseModelsforSecurityRequirementsAnalysis,"inACSAC'99:Proceedingsofthe15thAnnualCom-puterSecurityApplicationsConference,Washington,DC,USA,1999,p.55,IEEEComputerSociety. [143] BruceSchneier,\AttackTrees,"Dr.Dobb'sJournal,December1999. [144] R.GreenandJ.Adler,\ThreatAnalysis,"Tech.Rep.,VHTiElectionVericationTechnology,VoteHere,2003. [145] S.KentandR.Atkinson,\RFC2406:IPEncapsulatingSecurityPayload(ESP),"InternetEngineeringTaskForce(IETF),RetrievedSep.21,2009,from http://www.ietf.org/rfc/rfc2406.txt 124

PAGE 125

[146] T.DierksandC.Allen,\RFC2246:TheTLSProtocol,"InternetEngineeringTaskForce(IETF),RetrievedSep.21,2009,from http://tools.ietf.org/html/rfc2246 [147] MartinHirt,Multi-PartyComputation:EcientProtocols,GeneralAdversaries,andVoting,Ph.D.thesis,ETHZurich,Sept.2001,Reprintasvol.3ofETHSeriesinInformationSecurityandCryptography,Hartung-GorreVerlag,Konstanz,2001. [148] MajidJavidMoayed,AbdulAzimAbdulGhani,andRamlanMahmod,\ASurveyonCryptographyAlgorithmsinSecurityofVotingSystemApproaches,"ComputationalScienceanditsApplications,InternationalConference,pp.190{200,2008. [149] DavidChaum,JeroenVanDeGraaf,PeterY.A.Ryan,andPoorviL.Vora,\SecretBallotElectionswithUnconditionalIntegrity,"CryptologyePrintArchive,Report2007/270,2008,RetrievedOct1,2009,from http://eprint.iacr.org/ [150] M.Klonowski,M.Kutylowski,A.Lauks,andF.Zagorski,\APracticalVotingSchemewithReceipts,"inInformationSecurity,vol.3650/2005ofLectureNotesinComputerScience,pp.490{497.SpringerBerlin/Heidelberg,2005. [151] PeterY.A.Ryan,\AvariantoftheChaumvoter-veriablescheme,"inWITS'05:Proceedingsofthe2005workshoponIssuesinthetheoryofsecurity,NewYork,NY,USA,2005,pp.81{88,ACMPress. 125

PAGE 126

BIOGRAPHICALSKETCH BekirArslanwasborninHamburg,Germanyin1976.HeearnedhisB.S.inmathematicsfromBilkentUniversity,Ankara,Turkeyin1999.HereceivedaM.A.inmathematicsfromIndianaUniversity,Bloomington.Hisresearchareaiscryptographicprotocols. 126