May 17, 2008 - votes are encrypted using the key of the receiving trustees, .... iv) SigSK(m) is the secure digital signature of m under private key SK.
A Secure and Anonymous Voter-Controlled Election Scheme Thomas E. Carroll and Daniel Grosu Dept. of Computer Science, Wayne State University, 5143 Cass Avenue, Detroit, MI 48202, USA
Abstract Despite the massive improvements in technology the goal of having accurate, anonymous and voter-verifiable elections has not yet been realized. The existing electronic voting schemes that provide secret voter-verifiable receipts are based on ‘classical’ mix-nets. These mix-nets approaches do not scale well and are designed to provide a fixed degree of anonymity which cannot be increased by the voters who do not trust the system. In this paper we propose a new voting scheme that allows the voters to increase their degree of anonymity beyond the one implicitly provided by the system and provides secret voter-verifiable receipts. The proposed scheme utilizes incoercible, voter-verifiable receipts. The scheme is robust as no reasonable-sized coalition can interfere with the correct operation. The scheme has low communication complexity and thus it is efficient to use in large scale elections. Key words: mix networks, electronic voting, voter-verifiable receipts, elections, visual cryptography.
1
Introduction
The way elections are performed has one of the biggest societal impacts compared to any other democratic process. In the United States there are approximately 200 million eligible voters who expect a high level of trust in the electoral system. When the outcome is questioned because of improprieties, malfunctions, etc. citizens loose faith in the system. A recent study (Shamos (2004b)) suggests that the outcomes for a large proportion of past elections were manipulated. Another study by Di Franco et al. (2004) suggests that Email address: {tec, dgrosu}@cs.wayne.edu. (Thomas E. Carroll and Daniel Grosu).
Preprint submitted to Elsevier
17 May 2008
election outcomes can be manipulated by altering a relatively small amount of votes. In the 2000 US Presidential election, the state of Florida used an antiquated punch card system which resulted in a large number of spoiled votes. The initial tally was close resulting, by law, in an automatic recount. Poll officials needed to inspect every card and attempt to make a determination of voter’s intent. The resulting process was highly subjective. In many cases, the intent was determined by the degree to which a chad was detached from its card. Several recounts and lawsuits ensued. In the end, voters felt disenfranchised because of the belief that all votes should be counted. Even the gold standard of voting, paper ballots, has defects. Due to various factors, the intent remains open to interpretation which influences the election outcome. One example is the 2004 Taiwan Presidential election (Bradsher and Kahn (2004)), where the margin of victory (29, 518 votes out of 13 million cast) was eleven times smaller than the number of invalid votes (337, 297). These problems and others resulted in the US federal government mandating the modernization of election systems. Many states chose optical systems, but a few decided on direct recording electronics (DRE). DREs are small computer devices that voters interact with through a simple interface. Even though DREs appear as a revolutionary leap in election systems, in the rush to get to market, the systems were flawed resulting in a host of new problems. In one instance (Monteagudo Jr. and Gao (2004)), approximately 3000 votes were miscounted. Further complicating the matter, the systems did not provide an audit trail, hence making recounts impossible. Some states are mandating that the units be supplemented with a paper printer that produces receipts that the voter verifies and then deposits in a sealed box. If a recount is necessary, the receipts are tallied instead of the digital results. Recently, ACM (ACM (2004)) has recommended that electronic “voting systems should enable each voter to inspect a physical (for example paper) record to verify that his or her vote has been accurately cast and to serve as an independent check on the result produced and stored by the system.” There exists several election schemes which provide secret voter-verifiable receipts (Chaum (2004); Ryan and Bryans (2004)), all of them based on mix-nets. Existing mixnet approaches do not scale well and are designed to provide a fixed degree of anonymity which cannot be controlled by the voters. A voter desiring a higher degree of anonymity than the one implicitly provided by the system cannot obtain it. Also they do not provide a high degree of fault tolerance. Currently, the lack of voters’ ability to increase their degree of anonymity when casting their votes and the lack of secret voter-verifiable receipts are significant impediments to the development and deployment of large scale electronic voting systems - leading to a low level of trust in the process by the electorate. 2
We propose an e-voting scheme that addresses these issues by allowing the voters to increase their degree of anonymity beyond the one implicitly provided by the system and by providing secret voter-verifiable receipts. The scheme produces ballots that are publicly tallied. This is beneficial as: (i) individuals can identify if their vote was counted; (ii) recounts are simple; and (iii) the trust is enhanced. We define a set of criteria in order to characterize voting systems. The set of criteria is divided into two broad categories: practicality and security. A system is practical if it is convenient, applicable to a wide-range of technologies, scalable, flexible, and accessible. The security category consists of the following criteria: Eligibility. A system ensures eligibility if and only if eligible voters cast votes and no voter can cast more than one vote. Privacy. A system ensures privacy if and only if all votes remain private while voting is in progress. Accuracy. A system is accurate if and only if no vote can be altered, tampered, duplicated, or eliminated without being detected. Fairness. A system is fair if and only if no observer can gain any knowledge about the partial tally before the votes are counted. Robustness. A system is robust if it tolerates the faulty behavior of a reasonable sized coalition of participants. Furthermore, no coalition of voters can affect the election and faulty (malicious) voters are detected. Voter Verifiability. A system is voter verifiable if and only if a voter can determine that his/her vote was correctly counted. Universal Verifiability. A system is universally verifiable if and only if any observer, passive or otherwise, can be convinced that the final tally is correctly computed from the votes that were cast. Incoercibility. A system is incoercible if and only if no voter should be able to prove the value of his/her vote to another party. This set of criteria will be used to characterize our e-voting scheme. Related work. The Federal Election Commission developed a set of guidelines (known as FEC 2002 standard) that specifies the voting systems’ functional requirements, performance characteristics, and test evaluation criteria (FEC (2002)). This voting system standard is voluntary, thus the states are free to adopt it or not. IEEE is also developing a voting system standard (P1583) (Rein (2004)). Several vendors provide voting technology ranging from optical systems, DRE, to Internet voting (FEC (2000)). Electronic voting schemes can be divided into four categories: schemes based on mix-nets (Chaum (1981)), schemes based on blind signatures (Chaum 3
(1982)), Benaloh’s scheme (Benaloh (1987)), and schemes based on homomorphic encryption (Cramer et al. (1997)). Chaum (1981) was the first to introduce mix-nets. Chaumian mixes are simple RSA decryption mixes in which every server along the route between sender and receiver decrypts one layer of the message. Several voting schemes based on Chaum’s mix-nets have been proposed (Abe (1998); Jakobsson et al. (2002); Magkos et al. (2001); Michels and Horster (1994); Sako and Kilian (1995)). Another type of mix is the re-encryption mix (Jakobsson (1999)) that randomizes based on reencryption. This mix type has greater resilience to failure than the Chaumian mixes. Neff (2001) proposed an efficient verifiable mixing technique applicable to electronic voting. Acquisti (2002a,b) proposed the concept of user-centric mix-nets in which voters themselves manage their privacy requirements. Voters collaborate with a third-party in order to exchange ballots among themselves. Using this technique the resilience of the system is increased. Chaum (2004) supplemented mix-nets with visual cryptography. This was the first model that supplied incoercible receipts to the voter. Among other attributes, the receipts permits the voter to verify that his or her vote is tallied. Vora (2004) describes a complete implementation of the system. To reduce complexity and cost, Ryan and Bryans (2004) designed a simpler encoding using a pair of aligned strips in place of visual cryptography. A strip contains a single row of symbols that when aligned with its partner reveals the vote value. Chaum et al. (2005) proposed the Prˆet `a Voter scheme, an extension of the original Chaum’s scheme that uses a much simpler representation of the vote, making the scheme much easier to understand and implement. Ryan and Schneider (2006) improved the Prˆet `a Voter scheme by using re-encryption mixes instead of decryption mixes in the anonymizing tabulation phase. This provides tolerance against failures of the mix tellers and enables independent auditing. Following Prˆet `a Voter, Chaum proposed PunchScan (Punchscan (2008)), a more practical scheme based on optical-scan balloting. Chaum (1982) introduced blind signatures as a method to authenticate a message without knowing the content of the message. The signature is unlinkable in the sense that a signer cannot derive the correspondence between the signing process and the publicly-available signature. An election system by Fujioka et al. (1993) solves the problem of anonymously validating votes by utilizing blind signatures. Several other systems use blind signatures (e.g., Chaum (1998); Cranor and Cytron (1997); Ohkubo et al. (1999); Okamoto (1997); Petersen et al. (1995)), but all the systems experience the same drawback: voters should not abstain after the registration phase. Benaloh’s scheme (Benaloh (1987)) uses a homomorphic secret sharing scheme. With such schemes there is an operator ⊕ defined on the share space, such that the sum of the shares of any two secrets x1 , x2 is a share of the secret x1 ⊕ x2 . The system proceeds by the voter sharing his vote among the n trustees. The votes are encrypted using the key of the receiving trustees, authenticated, and 4
posted on a bulletin board. The trustees add all the received shares to get a share of the tally sum. The final step is that the trustees combine the shares to the tally. Cramer et al. (1997) proposed a scheme based on homomorphic encryption. The scheme exploits the properties of homomorphic encryption to establish universal verifiability. Homomorphic encryption has an operation ⊕ on the message space and an operation ⊗ on the cipher space such that the product of the encryptions of any two votes v1 , v2 : E(v1 ) ⊗ E(v2 ) is the encryption E(v1 ⊕ v2 ) of the sum of the votes. The drawback of the system is that a coercible receipt is produced. Hirt and Sako (2000) combine homomorphic encryption and mix-nets to yield a system that does not produce receipts. Essentially the system works as follows. For each voter, the system produces all votes combination as input of the first mix. Each mix presents proofs of the re-encryption such that the voter can determine the position of his vote. After mix completion, the voter publicly announces the position of his vote. The tally is computed as in Cramer et al. (1997). Other examples of schemes based on homomorphic encryption are Baudron et al. (2001); Cramer et al. (1996); and Damgard and Jurik (2001). Several recent papers addressed the concerns regarding the security of electronic voting schemes deployed in insecure environments (Jefferson et al. (2004); Kohno et al. (2003); Mercuri (2002); Rubin (2002); Shamos (2004a)). In Rubin (2002), the author describes the difficulty in securing remote electronic elections (also called Internet voting or simply I-voting). The security deficiencies of a real I-voting application are detailed in Jefferson et al. (2004). A popular DRE application source code is inspected in Kohno et al. (2003). Among many sources, Mercuri (2002) emphatically proposes supplementing DREs with receipts; Shamos (2004a) criticizes the suggestion stating that the e-voting requirements are grandiose especially when juxtaposed with the requirements of automation that can inflict injury or death (e.g., airplanes, automobiles). Contribution. We propose an election scheme that combines a variant of user-centric mixnets (Acquisti (2002b)) with Chaum’s voter-verifiable receipts (Chaum (2004)). The system in its entirety exhibits several positive attributes. The user-centric mix-nets empower voters as they are able to increase the degree of anonymity when casting ballots. Voters desiring a greater degree of anonymity than the one provided by the system can achieve it by performing additional mix iterations. In addition, these mix-nets demonstrate better fault tolerance and scalability. During the mix progression, voters discover faulty parties and compensate by engaging other operational parties. Voter-verifiable receipts require reformulation when combined with the usercentric mix-net. The proposed receipts successfully maintain most of the prop5
erties of the originals. The scheme is robust as no reasonable-sized coalition can interfere with the correct operation. Furthermore, the scheme is efficient as the number of transmitted messages increases linearly with the number of voters. Organization. The paper is structured as follows. In Section 2 we present the primitives on which our election scheme is based. In Section 3 we present and detail our proposed election scheme. In Section 4 we discuss the merits and costs. In Section 5 we discuss the implementation issues related to our election scheme. In Section 6 we draw conclusions and present future directions.
2
Preliminaries
2.1 Cryptographic Primitives Public key cryptography, also called asymmetric key cryptography, is a family of cryptographic algorithms which use two keys. One key is the private key that must be kept secret, while the other key is the public key which is advertised. The keys function oppositely; when the public key is used to encrypt a message, the private key must be used to decrypt the ciphertext. The ElGamal encryption cryptosystem (Menezes et al. (1996)) is a family of asymmetric key cryptographic algorithms exploiting the intractability of the discrete logarithm problem. In the usual case, ElGamal encryption/decryption is performed over a multiplicative subgroup G of order q in Z∗p , where p, q are large primes. • Key generation (KG): Output key set (P K, SK) = [(p, g, h = g x ), x] for large prime p and g, h ∈ Zp . • Encryption (E): Input comprises a message m, a public key (p, g, h), and a random encryption factor k ∈ Zp . The output is a ciphertext C = (G, M ) = (g k , mhk ). We write C = EP K (m, k) or C = EP K (m) for brevity. • Decryption (D): Input is a ciphertext C = (G, M ) under public key (p, g, h). Compute m = M/Gx . We write m = DSK (C). The ElGamal cryptosystem supports a (t, n) robust threshold scheme (Desmedt and Frankel (1990)). The purpose of a robust threshold cryptosystem is the fault-tolerant sharing of the private key such that messages can be decrypted when t ≤ n trustees cooperate; any coalition of t − 1 or fewer trustees cannot reconstruct the key and thus cannot decrypt messages. This scheme is resilient; any coalition of at most n − t trustees can not influence the correctness of the 6
other trustees. • Key generation (KG): Output key (P K, (SK1 , SK2 , . . . , SKn−1 , SKn )) = [(p, g, h = g x ), (x1 , x2 , . . . , xn−1 , xn )] for large primes p, g, h ∈ Zp , and x = P Q l j∈T xj λj,T , λj,T = l∈T −{j} l−j where T is the set of trustees. The key generation step is executed by a third party who distributes the results to the given participants. • Decryption (D): Input is a ciphertext C = (G, M ) under public key (p, g, h). Trustee Tj broadcasts wj = Gxj and proves in zero-knowledge that logg hj = P logG wj . Compute m = M/Gx for g x = g
j∈T
xj λj,T
.
2.2 Mix networks
Mix networks (mix-nets) are mechanisms to unlink message senders from receivers. Chaum (1981) proposed mix-nets in the context of an anonymous email system. The function of mix-nets is to randomize a sequence of mutated messages such that the inputs and outputs are unlinkable. Messages are mutated by either encrypting, decrypting, or re-encrypting them. The Chaumian variant of mix-nets uses “onion encryption” and RSA decryption. In a mix-net, there are n mix servers M1 , . . . , Mj , . . . , Mn , each with key set (P Kj , SKj ) for j = 1, . . . , n. When a message m is to be transmitted anonymously, m is encrypted as E1 (. . . Ej (. . . En (m))) and then transmitted to M1 . Mj waits until it receives several encrypted messages. Upon reaching a threshold on the number of messages, it removes one layer of encryption from m: Dj (Ej (Ej+1 (. . . En (m)))) = Ej+1 (. . . En (m)) then shuffles and transmits the encrypted messages to Mj+1 . The final server Mn removes the remaining layer of encryption, shuffles the batch, and transmits m to the recipient. Traditionally, users have minimal input in the mix-net processing. Users requiring more anonymity than what is provided cannot obtain it. User-centric mix-nets (Acquisti (2002b)) solve the problem. These mix-nets require that the users participate in the mix. The advantage is that users are empowered in the sense that a user requiring more anonymity can achieve it by performing several mix iterations. Additionally, these mix-nets demonstrate better fault tolerance. Users discover faults among the participants and compensate by engaging other participants. 7
2.3 Visual Cryptography
Naor and Shamir (1995) introduced visual cryptography to conceal images without cryptographic computations. The cryptosystem works by encoding the plain text message m into a printed page of ciphertext and n transparencies that encode the key. The message m is visually observed when the ciphertext and k ≤ n transparencies are aligned, even though individually they are indistinguishable from random noise. The technique in effect is the one-time pad, which Shannon (1949) demonstrated to be information-theoretic secure. Chaum (2004) adapted the concept into voter-verifiable receipts. Upon completion of voting, the voter is presented his/her vote summary on a printout. The printout is composed of two layers of superimposed transparencies. When the layers are separated, the vote becomes indiscernible from random noise. The layers are divided into square grids of equal parts where each square contains one of two pixel symbols. The pixel symbols are 2 × 2 square grids with the squares on a diagonal filled. The symbols are reverses of each other; where one is black, the other is white, and vice versa. When the layers are properly aligned, each symbol has a paired symbol on the opposite layer. A square in the resulting printout is grayed when the layers have the same symbol and is opaque when the layers have different symbols. The printout is crafted by first generating a random ciphertext (white sheet) and then choosing the key pixels on the key sheet (red sheet) to obtain the image. To eliminate the possibility of faked layers, red pixels must be dispersed between the layers. This is achieved by randomly swapping half the pixel pairs between layers. After swapping, both m × n layers contain (m × n)/2 white pixels and (m × n)/2 red pixels. The layers are digitized. Both layers contain t b 4-tuples (Lz , q, DN , DN ), where L is the m × n matrix representation of the layer, q is the serial number, D is a doll, and z is either t for the top layer or b for the bottom layer. The dolls contain information to generate half the random values. The dolls are protected by encryption and are decrypted in a N layer mix-net. The user verifies that the ballot image B = Lt ⊕ Lb and that the last three tuple components are the same on both layers. The voter commits to his/her vote by selecting a layer and destroying the other. The ballot image is restored by the mix-net operation. The duo TN , DN is y the input of the mix, where TN = Lx , DN = DN , and x 6= y. The trustee Mj removes a layer from Dj resulting in Dj−1 , hj , where hj is the receipt contribution from Tj . The trustee computes Tj−1 = Tj ⊕ hj and forwards Tj−1 , Dj−1 to trustee Mj−1 . After the final trustee, T0 = Bz , where Bz is a ballot image half. 8
3
The Proposed Scheme
In describing our voting scheme we use the following notations: i) ii) iii) iv)
Vi is voter i. V = {V1 , V2 , . . . , Vn } is the set of n ≥ 2 voters. Ti is trustee i. T = {T1 , T2 , . . . , Ts } is the set of s trustees. EP K (m) is the encryption of message m under P K. SigSK (m) is the secure digital signature of m under private key SK. SSK (m) = (m, SigSK (m)) is the digitally signed message m under private key SK.
Players. There are four player types in the system: voters, facilitator(s), bulletin board(s), and trustees. A voter should be able to determine that his/her vote was counted and that it is anonymous. The facilitators and bulletin boards ensure anonymity. The trustees are responsible for ensuring the vote tally. There are n voters, where n is large enough so that the probability of guessing the ballot’s owner (equal to 1/n), is small. The system fails to anonymize voters if n = 1, but any voting scheme has this limitation. A facilitator is associated with a bulletin board to which it can post. The bulletin board is immutable, i.e., messages cannot be modified once they are posted to the board. The board is divided into slots, with each slot independent of the others. Receipts. The receipts as proposed by Chaum (2004) require reformulation to be successfully integrated with user-centric mix-nets. The visual encoding scheme remains unchanged as presented in Section 2.3. What differs is that both layers are represented as a 3-tuple (Lc , q, EP K (B, k)), where c ∈ {top, bottom}, q is the serial number, and B = Ltop ⊕ Lbottom is the ballot image. The random encryption factor is obtained as: k = h(SP K (q)), where SP K (q) is the digitally signed serial number q under public key P K and h is a public one-way function. The voter verifies that the receipt is generated correctly: (i) He/she checks that Ltop ⊕ Lbottom = B. (ii) He/she confirms that q, EP K (B) are identical on both layers. (iii) He/she evaluates EP K (B). If any of the checks fails, it is undeniable evidence that the polling station malfunctioned. The ballot image is reconstructed by removing Lc , q, and by submitting EP K (B) to the trustees. The trustees decrypt EP K (B) using the threshold robust El9
Gamal algorithm (Section 2.1). Keys. Players are required to have public/private key sets. If (P K, SK) is the key set, P K and SK represent the public and private keys respectively. It is implicitly understood that a public key infrastructure (PKI) exists and all public keys are registered to it. We use the following notation for the key sets: i) (P KT , [SKT1 , SKT2 , . . . , SKTs ]): key set for the trustees T , where Tj is trustee j. ii) (P KF , SKF ): key set for the facilitator. iii) (P KVt i , SKVt i ): tth key set for voter Vi . No one, except Vi , knows that a link exists between P KVt i , P KVt+1 , and Vi . i Tokens. Before every election, tokens are generated offline by the trustees. When the system deems a voter eligible, it transmits a token to the voter. The token is a unique receipt of eligibility. A token is generated for an identity and thereafter is linked to a voter. Tokens are inputs to the mix where the identity-token relationships are severed. A token is redeemed for a vote submission. The token is authenticated before accepting the vote. Authentication includes verifying that the token is well-formed and unredeemed. Token and token construction must satisfy the following constraints: (i) Tokens must be difficult to counterfeit. By extension, they must be easily verified. (ii) Tokens must offer replay protection. (iii) Tokens are valid only for the election for which they are generated. A token crafted for election A cannot be used for election B and vice versa. As previously stated, tokens are the objects exchanged during the mix. Beside as a receipt of eligibility, tokens are necessary because, unlike ballots, they are equivalent. Tokens have the same value to all parties, similar to how a quarter is worth $0.25 to everyone. Ballots, on the other hand, are dependent on the vote and the voter; a vote for George W. Bush has a vastly different value to a Republican than to a Democrat. In the following we present our voting scheme. Initialization: The trustees initialize the robust threshold ElGamal cryptosystem. A third party generates (P KT , [SKT1 , SKT2 , . . . , SKTs ]) and distributes the share SKTj to trustee j = 1, 2, . . . , s. The trustees publish P KT . Finally, the trustees generate the tokens that will be used for the election. Eligibility: The voter interacts with a polling station at his/her predetermined precinct. 10
He/she presents his/her identity IDEN T to the polling station 1 . The polling station transmits IDEN T to the facilitator where it is verified. If necessary, the facilitator invokes a challenge 2 . If IDEN T is eligible, the facilitator sends token T OK to the voter. Voting: The voter votes using the interface supplied by the polling station. The station encodes the vote (Section 2.3) and presents a printout. If the summary satisfies the voter, the voter commits by choosing a layer as the receipt and destroying the other. The polling station commences the mix operation. A voter can perform several mix iterations depending on his/her personal anonymity requirement. A mix iteration requires the usage of a single bulletin board slot; no two iterations will share a slot. In the following, t denotes the iteration number. (1) The voter Vj posts REQ = SSKVt (P KVt j ) j
(1)
to the bulletin board. This message is a request to exchange tokens with other voters. (2) Voter Vi observes the request and posts REPi = EP KVt (SSK t+1 ([P KVt+1 , REQ])). i Vi
j
(2)
The message expresses the willingness of Vi to exchange his/her token. If several REQ exists, Vi randomly chooses one. (3) At some point in time, Vj proceeds with the transaction. He generates LIST = (SSK t ([P KVt+1 , P KVt+1 , . . . , P KVt+1 ])) π(1) π(2) π(l) Vj
(3)
and posts it to the bulletin board and transmits it to F , where 2 ≤ l ≤ n and π is a private one-way permutation. The voters compiled into LIST are selected based on voters transmitting valid messages from step 2. In practice, LIST is thought of as a transaction identifier. (4) Vi searches for his/her public key in LIST , where i = 1, 2, . . . , n. If he/she finds his/her public key, he/she transmits CON F IRMi = SSK t+1 ([LIST, EP KF (T OKVt i )]) Vi
(4)
to F . If he/she fails to find his/her public key, he/she continues the protocol from step 7. 1
The identity can be stored or recalled from magnetic strip cards, smart cards, RFID chips (radio frequency identification), or biometrics. The traditional eligibility process is easily amendable to support the system requirements. 2 Challenges are dependent on the authentication scheme. They could be as simple as requesting the voter’s home address or a pass phrase.
11
(5) F waits until it receives CON F IRMi from all Vi published in LIST . If F does not receive the message from all Vi in LIST , the protocol terminates; all Vi continue from step 7. F authenticates all tokens T OKVt i and confirms that they have yet to be redeemed. F “redeems” T OKVt i and obtains T OKVt+1 for i = 1, 2, . . . , l. As stated above, only Vi knows i the linkage between P KVt i and P KVt+1 . Hence, F cannot link T OKVt+1 i i to Vi . (6) F posts ), N T = SSKF ([EP K t+1 (T OKVt+1 π(1) Vπ(1)
EP K t+1
Vπ(2)
(T OKVt+1 ), . . . , EP K t+1 π(2) V
π(l)
)]) (T OKVt+1 π(l)
(5)
The position of T OKit+1 is determined by the index of P KVt+1 within i t+1 LIST . Vi retrieves T OKVi . (7) Optionally, Vi participates in another mix iteration starting from step 1. (8) Vi transmits , q, EP KT (B)]) EVi = SSK t+1 ([P KVt+1 , T OKVt+1 i i Vi
(6)
to the trustees T via a secure channel, thus completing the mix. Tallying: After the polls close, all provisional and/or contested voting is resolved. L , q are stripped from the receipts and Lc , ordered by q, are posted to the official, publicly-accessible poll website. The trustees decrypt EP K (B) using the robust threshold ElGamal algorithm (Section 2.1) and post B to the previously mentioned website. The votes are publicly counted from the ballot images. c
This concludes the description of our voting protocol. In Figure 1 we present the sequence of messages exchanged by the participants in the proposed scheme. Voter Vi sends his/her identity, IDEN Ti , using a oneto-one communication channel to the facilitator, F . Voter Vj , where i 6= j, does the same. Facilitator F verifies their eligibility and, if eligible, sends, using separate one-to-one communication channels, tokens T OKi and T OKj to Vi and Vj , respectively. Voter Vj posts his/her request to anonymize, REQ, to the bulletin board, BB. Posting to the bulletin board results in all participants seeing the message. The other voters receive the request and voters Vi and Vj respond by posting REPi and REPj , respectively, to BB. After some time, Vj continues the protocol by constructing and posting LIST . Assume that the public keys of Vi and Vj are in LIST . Voter Vi sends his/her confirmation CON F IRMi to F using a point-to-point communication channel. Voter Vj does the same. Facilitator F posts N T . Voters Vi and Vj submit their votes EVi and EVj , respectively, over a secure channel to the trustees, T . 12
Vi
Vj
F
BB
T
IDEN Ti IDEN Tj T OKj T OKi
Eligiblity REQ
Vote
REQ
REPi REPj {REPi , REPj } LIST LIST CON F IRMj CON F IRMi NT NT EVi EVj
Fig. 1. The sequence of messages exchanged by the participants (Vi is voter i; Vj is voter j; F is a facilitator; BB is a bulletin board; and T represents the trustees. One-to-one communications are represented by a solid line; one-to-all communications are represented by dotted lines).
In the next section we prove various properties of our voting scheme.
4
Properties and Complexity
The proposed scheme satisfies the criteria presented in Section 1 as follows: Theorem 4.1. (Eligibility) The voting protocol ensures eligibility. Proof. Casting a vote requires redeeming a token; an eligible voter is issued one and only one token in the Eligibility phase. Hence, only eligible voters are permitted to vote and are limited to a single vote. Theorem 4.2. (Privacy) The voting protocol ensures privacy. Proof. In the beginning of our voting scheme, F exchanges IDEN Ti for T OKi . At this point of the protocol, F is certain of the relationship between the voter Vi and his/her token T OKi . During the mix in which F redeems T OKi , F knows for certain that Vi is participating. But the order of public keys in LIST is random and F cannot discern the relationship between Vi and the new token that it provides to him/her. Assume there are l voters in this 13
phase. The facilitator knows with probability p = 1/l the relationship between Vi and his/her new token. After additional mixes, the relationship between Vi and his/her token is further clouded. The probability of discerning the relationship becomes 1/l ≤ p ≤ 1/n, where p = 1/l if Vi mixes only once or mixes repeatedly with the same set of voters and p = 1/n if Vi mixes, by sheer chance, with every other voter. Thus, the mixes have probabilistically severed the relationship between Vi and the token he/she redeems with his/her ballot. Even if the trustees and facilitators collude, they do not have the means to link voter identity to either token or vote. Finally, the vote values remains secret as long as the utilized public key cryptosystem remains secure. Theorem 4.3. (Accuracy) The voting protocol is accurate. Proof. The digital signatures utilized in (6) prevent votes from being altered or tampered. Casting a vote requires redeeming of a token, which are unique and unforgeable. Missing votes are discovered when they do not appear at the official website in the Tallying phase; the voter presents his/her receipt of evidence of the missing vote. Theorem 4.4. (Fairness) The voting protocol is fair. Proof. If the cryptographic system is secure, the vote value remains secret in transit to the trustees. The trustees cannot observe the vote value unless a coalition of t or more trustees collude. Theorem 4.5. (Robustness) The voting protocol is robust. Proof. A token is necessary to participate in the protocol. The only avenue available to a malicious voter is token manipulation, but forged or tampered tokens are detected and rejected by facilitators and trustees alike. Facilitators can manipulate tokens, but their efforts are frustrated as manipulated tokens are unredeemable. No serious harm is inflicted as the receipts provide undeniable evidence of the failure. n − t or fewer trustees are permitted to fail without injuring the protocol. Theorem 4.6. (Voter Verifiability) The voting protocol is voter verifiable. Proof. In the Voting phase, the voter ensures that his/her vote is properly encoded. Furthermore, he/she verifies before the Tallying phase that his/her vote is included in the final tally by confirming that his/her ballot image is posted. Theorem 4.7. (Universal Verifiability) The voting protocol is universal verifiable.
14
Facilitator Service Network Client
Mixer
Master
Storage
Network Server
Voter Service User Interface
Authenication Client
Other
Master
Storage
Network Client
Bulletin Board Service Network Client
Bulletin Board
Master
Storage
Network Server
Voter
Trustee Service Network Client
Tallier
Other
Master
Storage
Network Server
World Wide Web
Fig. 2. Diagram illustrating the relationships among system’s components.
Proof. In the Tallying phase, the ballot images are publicly displayed where any observer can confirm the tally for himself/herself. Theorem 4.8. (Incoercibility) The voting protocol is incoercible. Proof. The receipt is the only means with which a voter can prove his/her vote value. The receipt Lc cannot be used as evidence as Lc is indiscernible from random noise and furthermore, the relationship between ballot image B and Lc , q is severed and cannot be restored. Theorem 4.9. (Communication Complexity) The communication complexity of the voting protocol is O(n × k). Proof. The message count for the various phases is as follows: the eligibility phase requires two messages; the mix phase requires n + 2l + 3 ≤ 3n + 3 ≈ 3n messages per iteration; and one message to communicate the vote to the trustees. If there are n possible voters and each voter participates in k iterations, the overall message communication complexity is O(nk)
5
Implementation Issues
In this section, we discuss the issues related to the implementation of our voting protocol. The voting protocol clearly requires a distributed framework with several components executing in parallel. A reliable implementation is difficult to achieve, but not impossible. We believe that the complexity is similar in scope to e-mail transporting — in fact, our design borrows from the mail transport software Postfix (Venema (2005)). 15
We design the system to reduce complexity and mitigate risk. Each player is a service and each service is comprised of several task-specific components. Even though it is possible to have all the service components reside in a single process space by using multiple threads or contexts, we suggest, and the security track record of Postfix and other similarly designed applications suggests the same, that it is far better to segregate the components into different processes. Processes, unlike threads, are protected from one another and they can have tailored security contexts. The last fact permits a high-risk component (e.g., a network interface) to have reduced privileges so that if it is compromised, the impact is minimal. Conversely, it allows components requiring additional privileges to have their privileges escalated without escalating the privileges of the entire service. The components are simpler and smaller as the interactions are better defined. Languages or platforms with automatic memory management (e.g., JAVA, O’Caml) also assist in the goals of reduced complexity and risk. One of the more common problems leading to security vulnerabilities in today’s software is memory mismanagement (e.g., buffer overflow, stack overflow, hanging pointers). Since developers no longer manage memory themselves, there is an increase in productivity and a reduction in vulnerabilities. The system is divided into four services: voter, facilitator, bulletin board, and trustee. There are multiple copies of each executing. Each service is comprised of at least two components: a component that perform as the network client and a master component that monitors all others and performs certain tasks requiring escalated privileges requested by the others. Additionally, all the services except for the voter have a network server component. The master is responsible for initializing the service. Each service has access to stable storage in which it stores state information. The tasks performed by a service is governed by transactions which are reflected in the stable storage. If a server fails, it will continue from the previous completed transaction upon restart. We now discuss the service specifics. The first service that we will discuss is the voter service. Besides the default components, the service has a component to interface with the voter and it has other components that collect the information required for authentication. The voter service authenticates the user by transmitting a request to the eligibility service, and if successful, storing the user’s token in stable storage. It presents the ballot to the user, receives the selections, and generates the receipts. Again, this tasks are performed by components existing in isolated processes. The voter commences the mixing by using the network client to transmit and receive messages. The facilitator service receives requests from the voter via the network server and communicates with the bulletin board through the network client, both of which are executed on behalf of the master. Until the various transactions are completed, it stores the tokens and keys in stable storage. Similarly, the 16
bulletin board employs the network server to network client to interface with the other players, storing all requests in stable storage. In regards to the scalability of the above services, voters are organized into precincts. Each precinct has a prespecified polling location. At each location, there would be several polling stations implementing the voting services, one facilitator, and one bulletin board. An average precinct has 1100 voters registered with the largest being 2704 (EAC (2004)). With these sizes in mind, scaling the services to any size election is feasible. The trustee service accepts messages from the network server. A component unmarshalls the messages sending the result to other components that redeem tokens and tally the ballots. Similar to the other services, the various intermediates are stored in stable storage. The network client transmits the ballot image to the official web site.
6
Conclusion
We proposed a voter-controlled, voter-verifiable election scheme based on usercentric mix-nets. The user-centric mix-nets empower voters as they manage the protocol themselves. Voters requiring a greater degree of anonymity than the one provided by the system can obtain it by performing additional protocol iterations. Moreover, these mix-nets demonstrate better fault tolerance than the ‘classical’ mix-nets. During the mix progression, voters discover the faulty parties and can easily compensate by engaging other operational parties. The incoercible, voter-verifiable receipts that we propose maintain all the properties of the original Chaumian receipts. The scheme is efficient in terms of message complexity as it increases linearly with the number of voters. We are planning to investigate more efficient receipt encodings. The encoding we presented is complex and it is intended for human interpretation instead of machine interpretation. A better encoding would be less complex and machine interpretable. We plan an investigation into substituting a more efficient cryptosystem (e.g., elliptic curve cryptography (ECC) (Menezes et al. (1996))) for ElGamal. Acknowledgment. The authors wish to express their thanks to the editor and the anonymous referees for their helpful and constructive suggestions, which considerably improved the quality of the paper. This paper is a revised and significantly extended version of Carroll and Grosu (2005), presented at the IEEE International Conference on Information Technology: Coding and Computing (ITCC 2005). This research was supported, in part, by NSF grant DGE-0654014. 17
References Abe, M., 1998. Universally verifiable mix-net with verification work independent of the number of mix-servers. In: EUROCRYPT ’98. Vol. 1403 of LNCS. SpringerVerlag, pp. 437–447. ACM, October 2004. ACM statement on voting systems. Communications of the ACM 47 (10), 70. Acquisti, A., 2002a. An anonymous, fair voting/recommendation system. Tech. rep., School of Information Management and Systems, UC Berkeley. Acquisti, A., Nov. 2002b. An user-centric MIX-net protocol to protect privacy. In: Proc. of the Workshop on Privacy in Digital Environments: Empowering Users. Baudron, O., Fouque, P. A., Pontcheval, D., Poupard, G., Stern, J., 2001. Practical multi-candidate election system. In: Proc. of the ACM Symposium on Principles of Distributed Computing. pp. 274–283. Benaloh, J., 1987. Verifiable secret-ballot elections. Ph.D. thesis, Yale University. Bradsher, K., Kahn, J., Mar. 21 2004. Taiwan’s leader re-elected, but tally is disputed. International Herald Tribune. Carroll, T. E., Grosu, D., April 2005. A secure and efficient voter-controlled anonymous election scheme. In: Proc. of the IEEE International Conference on Information Technology: Coding and Computing. pp. 721–726. Chaum, D., Feb. 1981. Untraceable electronic mail, return address, and digital pseudonym. Communications of ACM 24 (2), 84–88. Chaum, D., 1982. Blind signatures for untraceable payments. In: CRYPTO ’82. Plenum Press, pp. 199–203. Chaum, D., 1998. Elections with unconditionally secret ballots and disruption equivalent to breaking rsa. In: EUROCRYPT ’88. Vol. 330 of LNCS. Springer-Verlag, pp. 177–182. Chaum, D., Jan./Feb. 2004. Secret-ballot receipts: True voter-verifiable elections. IEEE Security & Privacy 2 (1), 38–47. Chaum, D., Ryan, P. Y. A., Schneider, S. A., 2005. A practical voter-verifiable election scheme. In: ESORICS 2005. Vol. 3679 of LNCS. Springer-Verlag, pp. 118–139. Cramer, R., Franklin, M., Schoenmakers, B., Yung, M., 1996. Multi-authority secretballot elections with linear work. In: EUROCRYPT ’96. Vol. 1070 of LNCS. Springer-Verlag, pp. 72–83. Cramer, R., Gennaro, R., Schoenmakers, B., 1997. A secure and optimally efficient multi-authority election scheme. In: EUROCRYPT ’97. Vol. 1233 of LNCS. Springer-Verlag, pp. 103–118. Cranor, L., Cytron, R., 1997. Sensus: A security-conscious electronic polling system for the Internet. In: Proc. of the Hawaii International Conference on System Sciences. pp. 561 – 570. Damgard, I., Jurik, M., 2001. A generalisation, a simplification and some applications of Pailler’s probabilistic public-key system. In: Public Key Cryptography ’01. Vol. 1992 of LNCS. Springer-Verlag, pp. 119–136. Desmedt, Y., Frankel, Y., 1990. Threshold cryptosystems. In: Proc. of Advances in Cryptology – CRYPTO ’89. Vol. 435 of LNCS. Springer-Verlag, pp. 307–315. Di Franco, A., Petro, A., Shear, E., Vladimirov, V., Oct. 2004. Small vote manipu-
18
lations can swing elections. Commun. ACM 47 (10), 43–45. EAC, 2004. U.S. Election Assistance Commission, 2004 Election Day Survey. Ch. 13 Polling Places. FEC, 2000. Known vendors of computerized vote tabulation systems. http://www.fec.gov/pages/vendors12-00.htm. FEC, 2002. Voting system standards. http://www.fec.gov/pages/vssfinal/vss.html. Fujioka, A., Okamoto, T., Ohta, K., 1993. A practical secret voting scheme for large scale elections. In: AUSCRYPT ’92. Vol. 718 of LNCS. Springer-Verlag, pp. 224–251. Hirt, M., Sako, K., May 2000. Efficient receipt-free voting based on homomorphic encryption. In: EUROCRYPT ’00. Vol. 1807 of LNCS. Springer-Verlag. Jakobsson, M., 1999. Flash mixing. In: Proc. of the 18th ACM Symposium on Principles of Distributed Computing (PODC ’99). ACM, pp. 83–89. Jakobsson, M., Juels, A., Rivest, R., 2002. Making mix nets robust for electronic voting by randomized partial checking. In: USENIX’02. pp. 339–353. Jefferson, D., Rubin, A. D., Simons, B., Wagner, D., 2004. A security analysis of the secure electronic registration and voting experiment (SERVE). Tech. rep. Kohno, T., Stubblefield, A., Rubin, A. D., Wallach, D., 2003. Analysis of an electronic voting system. Tech. rep., John Hopkins Information Security Institute, TR-2003-19. Magkos, E., Burmester, M., Chrissikopoulos, V., 2001. Receipt-freeness in largescale elections without untappable channels. In: Proc. of the 1st IFIP Conference on E-Commerce, E-Business and E-Government. Kluwer Academic Publishers, pp. 683–693. Menezes, A. J., von Oorschot, P. C., Vanstone, S. A., 1996. Handbook of Applied Cryptography. CRC Press, Inc. Mercuri, R., 2002. A better ballot box? IEEE Spectrum 39, 46–50. Michels, M., Horster, P., 1994. Some remarks on a receipt-free and universally verifiable mix-type voting scheme. In: ASIACRYPT ’94). Vol. 1163 of LNCS. SpringerVerlag, pp. 125–132. Monteagudo Jr., L., Gao, H., Apr. 8 2004. Some votes miscounted in primary, officials say. The San Diego Union-Tribune. URL http://www.signonsandiego.com/news/politics/20040408-9999-1m8vote.html Naor, M., Shamir, A., 1995. Visual cryptography. In: Santis, A. D. (Ed.), Proc. Advances in Cryptography (EUROCRYPT ’94). Vol. 950 of LNCS. SpringerVerlag, pp. 1–12. Neff, A., 2001. A verifiable secret shuffle and its application to e-voting. In: Proc. of the ACM Conference on Computer and Communications Security. pp. 116–125. Ohkubo, M., Miura, F., Abe, M., Fujioka, A., Okamoto, T., 1999. An improvement on a practical secret voting scheme. In: Second International Workshop Information Security. Vol. 1729 of LNCS. Springer-Verlag, pp. 225–234. Okamoto, T., 1997. Receipt-free electronic voting schemes for large scale elections. In: Security Protocols Workshop. Vol. 1361 of LNCS. Springer-Verlag, pp. 25–35. Petersen, H., Horster, P., Michels, M., 1995. Blind multisignature schemes and their releveance to electronic voting. In: Proc. of the 11th Annual Computer Security Applications Conference. IEEE Press, pp. 149–155. Punchscan, 2008. Punchscan: See your vote count (http://www.punchscan.org/).
19
Rein, L., January/February 2004. The IEEE P1583 Voting Machine Standard. IEEE Internet Computing, 11. Rubin, A., 2002. Security considerations for remote electronic voting. Communications of the ACM 45, 39–44. Ryan, P. Y. A., Bryans, J. W., May 2004. A simplified version of the Chaum voting scheme. Tech. rep., School of Computing Science, University of Newcastle upon Tyne, UK. Ryan, P. Y. A., Schneider, S. A., 2006. Pret a voter with re-encryption mixes. In: ESORICS 2006. Vol. 4189 of LNCS. Springer-Verlag, pp. 313–326. Sako, K., Kilian, J., 1995. Receipt-free mix-type voting scheme. In: Proc. Advances in Cryptography (EUROCRYPT ’95). Vol. 921 of LNCS. Springer-Verlag, pp. 393–403. Shamos, M., 2004a. Paper v. electronic voting records - an assesment. Tech. rep., Carnegie Mellon University. Shamos, M., May 26–27 2004b. Theory v. practice in electronic voting. In: DIMACS Workshop on Electronic Voting – Theory and Practice. Rutgers University, New Jersey. Shannon, C. E., 1949. Communication theory of secrecy systems. Bell System Technical Journal 28 (4), 656–715. Venema, W., Feb. 2005. Postfix (http://www.postfix.org/). Vora, P., May 26–27 2004. David Chaum’s voter verification using encrypted paper receipts. In: DIMACS Workshop on Electronic Voting – Theory and Practice. Rugers University, New Jersey.
20
