CALTECH/MIT VOTING TECHNOLOGY PROJECT A multi-disciplinary, collaborative project of the California Institute of Technology – Pasadena, California 91125 and the Massachusetts Institute of Technology – Cambridge, Massachusetts 02139 ADVANCES IN CRYPTOGRAPHIC VOTING SYSTEMS BEN ADIDA MIT Key words: voting systems, cryptographic, election administration, secret- ballot elections VTP WORKING PAPER #51 September 2006 Advances in Cryptographic Voting Systems by Ben Adida Submitted to the Department of Electrical Engineering and Computer Science in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Computer Science at the MASSACHUSETTS INSTITUTE OF TECHNOLOGY August 2006 c Massachusetts Institute of Technology 2006. All rights reserved. Author . .................................................................. Department of Electrical Engineering and Computer Science August 31st, 2006 Certified by . ............................................................. Ronald L. Rivest Viterbi Professor of Electrical Engineering and Computer Science Thesis Supervisor Accepted by . ............................................................ Arthur C. Smith Chairman, Department Committee on Graduate Students 2 Advances in Cryptographic Voting Systems by Ben Adida Submitted to the Department of Electrical Engineering and Computer Science on August 31st, 2006, in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Computer Science Abstract Democracy depends on the proper administration of popular elections. Voters should receive assurance that their intent was correctly captured and that all eligible votes were correctly tallied. The election system as a whole should ensure that voter coercion is unlikely, even when voters are willing to be influenced. These conflicting requirements present a significant challenge: how can voters receive enough assurance to trust the election result, but not so much that they can prove to a potential coercer how they voted? This dissertation explores cryptographic techniques for implementing verifiable, secret- ballot elections. We present the power of cryptographic voting, in particular its ability to successfully achieve both verifiability and ballot secrecy, a combination that cannot be achieved by other means. We review a large portion of the literature on cryptographic voting. We propose three novel technical ideas: 1. a simple and inexpensive paper-base cryptographic voting system with some interesting advantages over existing techniques, 2. a theoretical model of incoercibility for human voters with their inherent limited com- putational ability, and a new ballot casting system that fits the new definition, and 3. a new theoretical construct for shuffling encrypted votes in full view of public observers. Thesis Supervisor: Ronald L. Rivest Title: Viterbi Professor of Electrical Engineering and Computer Science 3 4 Acknowledgments Ron Rivest was already my Master’s Thesis Advisor in 1998-1999.He welcomed me back into his group after my 4-year leave of absence and found research funding for me by my second semester. His top-notch advice, endless encouragement, and bottomless well of knowledge were invaluable. His constant dedication to the field of cryptography, to scientific rigor, and to teaching, amaze me still every day. My committee members, Shafi Goldwasser and Srini Devadas, were so encouraging that my defense felt more like a family get-together than an exam (okay, not quite.) The Knight Foundation funded my work with the Caltech/MIT Voting Technology Project. Stephen Ansolabehere helped me get started with the group and provided precious advice along the way. His unrivaled expertise in election matters was crucial to our debates. His humor made our meetings seem much shorter than they actually were. Hal Abelson has been a close mentor for 10 years. His predictions seem outlandish only because they are, conservatively, 2 years ahead of their time. His dedication and unequaled talent for teaching will always be among my greatest inspirations. His positive impact on the world is exceeded only by his humility, and I am honored to have the opportunity to work with him in any fashion. Andy Neff, my long-distance collaborator, possesses a strength in the face of absurd adversity that I have rarely seen. His ideas are groundbreaking and elegant, and I struggle to keep up. He is maybe the ultimate unspoken hero of voting. If we ever achieve secure verifiable voting, it is hard to imagine that one of his ideas wouldn’t be part of the solution. Douglas Wikstr¨om, my other long-distance collaborator, smacked me around for incomplete proofs (I deserved it.) Mike Bond, Jolyon Clulow, and Ross Anderson hacked my ATM card with a British accent. John Herzog, Paul Youn, Amerson Lin, provided the American (and Singaporian) counter-part. Susan Hohenberger and I finally got our anti-phishing paper published, though it was a book chapter before it was a conference paper (go figure.) She and my other officemates Steve Weis, Seth Gilbert, and David Liben-Nowell, suffered my incessant yapping about policy, privacy, copyright reform, and free software. Chris Peikert reviewed large portions of this work as a last-minute favor, catching bugs I would surely have missed, and suggesting brilliant improvements. He, along with Rafael Pass, Alon Rosen, abhi shelat, and Guy Rothblum were always willing to explain the theoretical crypto concepts I had forgotten, missed, or just not understood. David Chaum, the man behind a disproportionate number of the major cryptographic break- throughs of the last 30 years, got me involved in voting standards work and provided endless entertainment at CRYPTO. Every voting crypto idea seems to have its root in one of David’s early proposals. 5 Danny Weitzner, Ralph Swick, and Eric Miller were my guides in the wild world of the W3C. Zak Kohane, Pete Szolovitz, and Ken Mandl were my guides in the land of medical informatics, bioinformatics, and genomic medicine. Philip Greenspun helped me return to MIT by offering me a TAship in his course for my first semester back. Gerald Ruderman provided unbeatable advice and encouragement. My parents, Pierre and Yvette, eventually stopped asking questions about the detail of my work—long past the point I expected—but never stopped encouraging me, congratulating me on successes big and small, and dismissing my failures as other people’s faults. I could not have asked for better parents. Claire regaled me with her stories of far-away lands and adventures, and Juliette found her path to success while helping me plan my wedding from across the Atlantic. I could not have asked for better sisters. Speaking of wedding... I met my wife Rita the first week I returned to MIT. The moment I met her, I knew. The rest, all of this, is details. 6 This work is dedicated to my grandparents, Marguerite, Adolf, Salomon, and Marcelle. They encouraged me to explore, and I went looking for things to decrypt. 7 8 Contents 1 Introduction 23 1.1 A Brief History of Voting ............................. 24 1.2 What Makes Voting so Hard? .......................... 26 1.2.1 Verifiability vs. Secrecy .......................... 26 1.2.2 Threat Modeling: Planes, Banks, and Voting Machines ........ 27 1.2.3 Auditing a Partially Secret Process ................... 29 1.3 Classic Voting Systems .............................. 29 1.3.1 Chain-of-Custody Security ........................ 30 1.3.2 The Erosion of the Secret Ballot ..................... 30 1.3.3 The Voter-Verified Paper Audit Trail . ............... 32 1.4 Cryptographic Voting Schemes .......................... 32 1.4.1 End-to-End Verifiability ......................... 33 1.4.2 A Bulletin Board of Votes ........................ 34 1.4.3 A Secret Voter Receipt .......................... 35 1.4.4 Tallying the Ballots ............................ 36 1.4.5 The Promise of Cryptographic Voting . ............... 39 1.5 Contributions of this Work ............................ 39 1.5.1 Mixnet Literature Review ........................ 39 1.5.2 Scratch & Vote .............................. 39 1.5.3 Ballot Casting Assurance &p 2503 4736287 45396786 Assisted-Human Interactive Proofs ................... 40 1.5.4 Public Mixing ............................... 40 1.5.5 Collaboration and Authorship ...................... 41 1.6 Organization ................................... 41 2 Preliminaries 43 2.1 Basics ....................................... 43 2.2 Public-Key Encryption .............................. 43 2.2.1 IND-CPA Security ............................. 44 2.2.2 IND-CCA Security ............................. 46 2.2.3 IND-CCA2 Security ............................ 47 2.2.4 IND-RCCA Security ............................ 48 2.3 Homomorphic Public-Key Encryption ...................... 48 9 2.3.1 Re-encryption ............................... 49 2.3.2 Security of Homomorphic Cryptosystems . ............... 49 2.3.3 Homomorphic Schemes in Practice ................... 49 2.4 Threshold Public-Key Cryptosystems ...................... 51 2.4.1 Secret Sharing ............................... 52 2.4.2 Secure Multi-Party Computation .................... 52 2.4.3 Efficient Threshold Schemes ....................... 53 2.5 Zero-Knowledge Proofs .............................. 54 2.5.1 Zero-Knowledge Variants ......................... 55 2.5.2 Proofs of Knowledge ........................... 56 2.6 Program Obfuscation ............................... 56 2.6.1 First Formalization ............................ 57 2.6.2 Auxiliary Inputs