Veri Able Secret-Ballot Elections
Total Page:16
File Type:pdf, Size:1020Kb
Abstract Veriable SecretBallot Elections Josh Daniel Cohen Benaloh Yale University Privacy in secretballot elections has traditionally b een attained by using a ballot b ox or voting b o oth to disasso ciate voters from ballots Although such a system might achieve privacy there is often little condence in the accuracy of the announced tally This thesis describ es a practical scheme for conducting secretballot elections in which the outcome of an election is veriable by all participants and even by nonparticipating observers All communications are public yet under a suitable numbertheoretic assumption the privacy of votes remains intact The to ols developed here to conduct such elections have additional indep en dent applications Cryptographic capsules allow a prover to convince veriers that either statement A or statement B is true without revealing substantial in formation as to which Secret sharing homomorphisms enable computation on shared secret data and give a metho d of distributing shares of a secret such that each shareholder can verify the validity of all shares Veriable SecretBallot Elections A Dissertation Presented to the Faculty of the Graduate School of Yale University in Candidacy for the Degree of Do ctor of Philosophy by Josh Daniel Cohen Benaloh December c Copyright by Josh Daniel Cohen Benaloh ALL RIGHTS RESERVED to my wife Laurie in the spirit of Benaloh Acknowledgements I owe a great many debts to p eople who have given me generous help with much of this work My advisor Mike Fischer has had the often quite dicult task of teaching me the discipline required to do work in theoretical computer science He has used his marvelous intuition to channel my eorts away from the many dead ends which I would have happily sp ent months if not years exploring Mike has also taught me the imp ortance of the hard work that although unpleasant is necessary to make clever ideas into worthwhile results Sha Goldwasser and Neil Immerman served as my other ocial readers Neil read my work with tremendous patience and care He has more than once given his time and talents to help me over trouble sp ots and his great enthusiasm has often added enjoyment to what would otherwise b e the dullest of tasks Sha has shown great interest in my work from its earliest forms She has contributed much to the eld and my work simply would not have b een p ossible without the fundamental achievements of which she is one of the leading pioneers There are many others to whom I am indebted Silvio Micali has b een enthu siastic ab out my ideas in the many conversations we have had and this work is built up on many of the imp ortant ideas which he has contributed Oded Goldre ich has b een very supp ortive of my work and he added a key insight which led to one of the ma jor applications Dana Angluin has a wonderfully vast knowledge of theoretical computer science which she has always shared generously along with her keen p ersp ective of the eld and of life in general Lenny Pitt and Gregory Sullivan served as b eacons to show that there is indeed life after Yale Dave Greenberg Rub en Michel and David Wittenberg have always b een willing to listen to my ideas add their own and generally make life as a graduate student far more pleasant Among the others who have b een of great help to me are Gilles Brassard Don Copp ersmith Claude Crepeau Paul Feldman Jo e Kilian Jerry Leichter Moti Yung and many more to whom I now ap ologize for having omitted Most of all I want to express my deep est gratitude to my wife Laurie Besides her constant supp ort and her assumption of many chores which I neglected during the more intensive p erio ds of this work she to ok the time to carefully read the rst draft of this thesis She found typographical errors suggested clarications v and simplied pro ofs Her drudge work enabled my other readers to receive a far more p olished pro duct and if Id incorp orated more of her recommendations when they were made I would have had fewer complaints ab out later versions from my other readers vi Contents Introduction and Overview The Election Encryption Function and its Prop erties Probabilistic Encryption Higher Residues Residue Classes The Consonance Prop erty Characterizations of Consonance Prime Consonance Perfect Consonance Deciding Residue Classes Evaluations and Decomp ositions The Election Encryption Function E The Prime Residuosity Assumption Elementary Elections Interactive Pro ofs and the use of Cryptographic Capsules Some Interactive Pro ofs r An Interactive Pro of that z Z n An Interactive Pro of that w RC c An Interactive Pro of that w w An Interactive Pro of that r n y is consonant Cryptographic Capsules Capsules and Residues r An Interactive Pro of that y Z n An Interactive Pro of of Prime Consonance vii Resultindistinguishable Residuosity Graph Nonisomorphism Bo olean Circuit Satisability Basic Elections Secret Sharing Homomorphisms Threshold Schemes The Homomorphism Prop erty Comp osite Security Some Examples Veriable Secret Sharing SecretBallot Elections Overview of SecretBallot Elections Related Work Election Denitions Veriable Elections Public Voting Privacy An Election Paradigm Votes and Ballots Votes Decomp ositions of Votes Ballots A Veriable SecretBallot Election Schema The function check check I check V check T check Time and Space Requirements Time Requirements Space Requirements Correctness Security viii An Overview of the Reduction Simulating Elections The Symmetry Condition The Formal Reduction Usage and Optimizations Parallelization Asynchrony Other Streamlining Extensions and Variations Multiway Elections Preferential Voting Giving the Winner without the Tally Related Schemas Conclusions ix x Chapter Introduction and Overview Over the last decade the eld of publickey cryptography has ourished within theoretical computer science Techniques based up on infeasible computations now exist which allow one to p erform tasks that seem to defy intuition This thesis broadens the scop e of some known techniques and develops a number of new ones Some of the metho ds given here also greatly simplify many previous cryptographic proto cols Although there are many applications for the to ols presented here there is one common thread throughout this work Virtually all of the to ols describ ed are incorp orated to construct a schema for holding secretballot elections in which the outcome of an election is veriable by all participants and observers This schema has a number of desirable prop erties The schema is practical The necessary proto cols can b e run in reasonable time with current technology In addition the proto cols contain a large amount of intrinsic parallelism Exp ected future technologies can make these proto cols extremely fast Every participant and even mere observers can verify the tally of an elec tion They can b e convinced that with extremely high probability the election tally given represents the true tally of the election The schema is robust No action can b e taken by any voter or set of voters which will corrupt or disrupt the election in any way Failure of up to half of the app ointed tellers or vote counters can b e withsto o d without corrupting or disrupting the election CHAPTER INTRODUCTION AND OVERVIEW The secrecy of legitimate votes remains intact under a cryptographic as sumption to b e describ ed later even if up to half of the tellers and an ar bitrary set of voters collude This number can b e increased up to the p oint where if even one teller remains honest then privacy of votes is maintained but there is a corresp onding decrease in the number of teller failures which an election can survive One of the additional applications developed here arises from the notion of secret sharing homomorphisms Secret sharing as developed by Blakley and Shamir allows shares of a secret to b e distributed to many shareholders in such a way that any subset of shareholders of size b eyond a predetermined threshold can reconstruct the secret Smaller