Smith typeset 12:13 10 Sep 2005 crypto vote Cryptography meets voting Warren D. Smith∗ [email protected] September 10, 2005 Abstract — We survey the contributions of the entire the- 4.19 Designated-verifier ZK-proofs; deniable signa- oretical computer science/cryptography community dur- tures........................ 19 ing 1975-2002 that impact the question of how to run ver- 4.20 Zeroknowledgeproofofsinglebit . 20 ifiable elections with secret ballots. The approach based 4.21 Bit “commitments” and “oblivious transfer” . 21 on homomorphic encryptions is the most successful; one 4.22 Zero knowledge proof number is in interval . 23 such scheme is sketched in detail and argued to be fea- 4.22.1 A flawed procedure by Fabrice Boudot . 23 sible to implement. It is explained precisely what these 4.22.2 A new procedure that repairs Boudot’s ideas accomplish but also what they do not accomplish, flaws.................... 23 and a short history of election fraud throughout history 4.23 Proof of El Gamal encryption of a single bit is included. andofanumberinaninterval . 25 4.24 Co-signing, dating, and “bit-by-bit release” technique ..................... 25 Contents 4.25 Otherzeroknowledgeproofs. 26 4.26 Faster general purpose zero knowledge proofs . 26 1 Introduction 2 4.27 Secure general multiparty computation . 28 2 Election Desiderata 2 5 Voting–realizationofpossibility 31 3 The top things to know about crypto 3 5.1 Electionhashes . 33 3.1 Essentials of speed, security, and parallelism . 4 6 Where are we now? 33 3.2 Elliptic curve groups – why you want them and 7 The four main approaches to efficient and fully- howtousethem ................. 5 secure elections 33 3.3 Still faster with secret key cryptography . 8 7.1 Mixnets ...................... 35 4Algorithmictoolkit 8 7.2 Homomorphic cryptography and its uses . 37 4.1 Fastpoweringinsemigroups. 8 7.3 A practical secure election: Homomorphic re- 4.2 Fast inversion and square roots in finite groups 8 pair to 5’ssemi-trustedscheme. 37 § 4.3 Finding discrete logarithms in “black-box”groups 8 7.4 Heterodoxvotingschemes . 39 4.4 Onetimepads .................. 9 7.5 Voting via secret sharing and secure general 4.5 Secretkeycryptosystems . 10 multiparty computations . 40 4.6 Keyexchange................... 11 8 We trade fire with electronic voting opponent 4.7 Public key cryptosystems via RSA one way Rebecca Mercuri 41 functions ..................... 11 9 Examples of real world voting frauds, errors, 4.8 Public key cryptosystems via Elgamal . 11 deceptions, suspicious events, and stupidities 43 4.9 Digital signatures via RSA or Elgamal . 12 9.1 Voter registration and eligibility . 43 4.10 Blindsignatures . 12 9.2 Votecollecting . 45 4.11 Secretsharing. 13 9.3 The story of the Ukraine election in 2004 . 45 4.12 Verifiable shuffles and mixnets . 15 9.4 The USA 2004 presidential election, with focus 4.13 Zero knowledgeproofprotocols . 16 onOhio ...................... 46 4.14 (Poor)Efficiency . 17 9.5 Votebuying.................... 49 4.15 Zero knowledge proof that know discrete log . 17 9.6 Electronic voting machines . 50 4.16 Zero knowledge test of discrete log equality . 18 9.7 Votecounting.. .. .. .. .. .. .. .. .. 53 4.17 Zero knowledge proof of one of several discrete 9.8 Threefraud-aidedUS Presidents . 53 logs; ORing and ANDing zero-knowledge proofs 19 9.9 Election fraud as a government-toppling or 4.18 ZK-proof of at least k-out-of-n statements . 19 democracy-destroyingevent . 56 9.10 Conclusions . 56 ∗21 Shore Oaks Drive, Stony Brook NY 11790. Sep 2004; revised Jan 2005 1 0. 0. 0 Smith typeset 12:13 10 Sep 2005 crypto vote 10 Will quantum computers destroy cryptographic this sort collecting all this material in one place, we are now electionprotocols? 56 for the first time able to see the “big picture” and hence to 11 Conclusions 57 reach some conclusions that seem not to have been previously reached, or at least not previously clearly explained. 11.1Tenlessons .................... 57 11.2 Whatwecanandcannotdo. 58 References 59 2 Election Desiderata 1 Introduction Here are three, possibly conflicting, desires. 1a. Easy cheap elections: To get tremendous savings in We are going to explain, survey, criticize, and evaluate all cost and increases in accuracy and convenience, we want elec- the main cryptographic procedures that have been proposed tions to be run using computers and the internet. for the purpose of holding verifiable and secure secret-ballot 1b. Hard-to-steal: But people are also afraid (with rea- elections. We begin by listing election desiderata in 2. Then son!) that such automation would also make it easy to steal 3-4 surveys and explains most of the highlights of§ crypto- elections – quite possibly without anybody even noticing! We graphic§ theoretical computer science during 1978-1995, espe- want it to be difficult or impossible to cheat – so difficult, in cially“zero knowledge proof”technology. This is all developed fact, that even huge corporations, and spy agencies such as from the ground up (or anyhow from a fairly low level) and in the NSA and CIA, should be unable to do it. enough detail to try to make everything readable by political scientists and programmers, and to permit engineers to be- 1c. Hack/destruction immunity; recountability: The gin system implementation now, without need of any source trouble with running elections via computers, electronics, and besides this. In fact, this is a superior introduction to mathe- the internet is: those things could be destroyed, or rendered matical cryptography than any other source I know, although temporarily disfunctional, or their data erased, by some en- a planned book by Daniel J. Bernstein titled“high speed cryp- emy. So it is necessary that all votes be stored in lower-tech, tography” (partially available on his web site) should eclipse but less vulnerable, forms (e.g. on paper ballots) to permit a us and Schneier’s book [136] is a highly recommended broad recount in such an event. But that seems to prevent the cost survey, although limited in its detail and having some aston- savings in 1a. 1 ishing omissions. (Meanwhile, in the other direction, we will Here is a quadruplet of desires which again seem (now even point out some political desiderata that seem to have gone more strongly) to be in conflict (and also to conflict with 1c): unnoticed by the crypto-CS community.) The algorithmic toolkit from 3-4 is summarized in a handy table and then 2a. Secret ballots: Nobody but the voter should know how used in 5-7 to§ design different voting systems. he voted (because otherwise pressure could be placed on that § voter to vote in a certain way). 6 and 8 review what we have learned. The latter analy- ses§ and§ corrects the adamant anti-electronic-voting views of 2b: No sale: Even more strongly, even if the voter wants voting expert Rebecca Mercuri. 9 surveys election frauds to reveal how he voted, he should be unable to do that in throughout history, focusing especially§ on recent and Ameri- any way more convincing than just his unsupported asser- can history. Due to the timidity of the US press, it is not com- tion (because otherwise that voter would be able to “sell his monly realized that 3 US presidents during 1950-2000 were vote”). The voter should still be unable to do this even if he elected with substantial aid from fraud, at least comparable collaborates with a (corrupt) election authority. to and sometimes far exceeding their winning margins. 2c. Invisible abstention? Some support the still stronger Finally, 11 lays out what conclusions we have been able to idea is that nobody but the voter (or somebody who has been reach, including§ some not appreciated before. observing him continually) should even be able to tell whether he voted (because otherwise pressure could be placed on that The whole political-science question of which vote-combining voter to refrain from voting). method should be used is largely – but not entirely – inde- pendent of the computer-science question of how to implement 2d. Verifiability: All should be able to verify that only au- a given vote-combining method in such a way as to protect thorized voters voted, they voted at most once and in a valid voter privacy, make everybody confident the right election re- manner, and their votes then were correctly used to determine sults got computed, etc. We are here focusing almost entirely the election result. Each voter should be able to verify that on the computer-science question. he successfully voted and his unaltered vote was incorporated This is a survey of the contributions relevant to voting of the into the election result. entire CS-cryptographic community. It therefore is mostly 2a, 2b, and 2c are really increasing-strength versions of the unoriginal work. Nevertheless, to my surpise it now includes same thing. We might imagine achieving 2a by having vote a fair number of new theoretical contributions2 as well as some submissions be encrypted so that nobody besides the voter numerous improvements more pedagogical rather than foun- and recipient knows the vote. With more cleverness perhaps dational. Because there has not previously been a survey of we could make the recipient also incapable of decrypting – 1For example, although Schneier extensively discusses Shamir secret sharing (our 4.11), he does not mention many details, e.g. verifiable secret sharing is given only 1 sentence, and ignores its main theoretical use, secure multiparty§ computation ([18][40], our 4.27). 2New tables of nice safeprimes ( 3.1), new kinds of signatures ( 4.10), new general purpose zero knowledge proof§ protocols ( 4.26), new recog- nition of the inefficiency of Boudot’s§ interval-membership proofs ( §4.22) and first way to repair that flaw, new realizations about§ voting, and new homomorphic voting scheme involving “designated verifier” zero knowledge§ proofs to prevent voters from constructing “receipts.” Sep 2004; revised Jan 2005 2 2.