IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY: SPECIAL ISSUE ON ELECTRONIC VOTING 1 Voting with Unconditional Privacy by Merging Pret-ˆ a-Voter` and PunchScan Jeroen van de Graaf Abstract—We present a detailed comparison of the Pret-ˆ a-` B. Unconditional or everlasting privacy Voter and Punchscan protocols for booth voting. We also describe a simpler variation that keeps the ballot layout of Pret-ˆ a-` Most election systems so far, with the notable exception Voter but borrows the cryptography from Punchscan, which of [8],[9] and [10], have the property that they provide is based on any commitment scheme. By using unconditionally only computational privacy of the ballot. This flaw is really hiding commitments we obtain a conceptually very simple voting worrisome for the following reason: with storage becoming protocol with unconditional privacy. cheaper and cheaper every year, we must assume that all data Index Terms—election protocols, voting protocols, bit commit- published during an election protocol will never be erased, ment, unconditional privacy i.e. that some copy of it survives forever. Sooner or later, the underlying computational assumption will be broken, so eventually it will become public who voted for whom. I. INTRODUCTION Though one can argue that this information might have A. Motivation become irrelevant after many decades, this point is more Over the last few years we have seen a sequence of papers important than it seems. For instance, people might like to on voter-verifiable elections. The idea of these systems is to know who the President of the United States voted for when he provide the voter with a receipt which, on the one hand, allows was young—perhaps he flirted with the communist party. Even her to verify that her vote is included in the tally; but on the today historians will find it interesting to know Churchill’s other, the receipt does not reveal any information about her voting behavior in 1900, when he was about twenty-five years choice. Though this idea is not new[1], Chaum’s paper [2] old. More dramatic is a scenario in which a ruthless dictator arguably gave a new impetus to this line of research (see also gets into power after decades of trying. Once in power, he [3]). Subsequently, Chaum’s protocol was improved upon in systematically goes after the voters who voted against him in two significant ways. First there is a protocol called the Prˆet- earlier elections, or after their descendants. `a-Voter (PaV) protocol, as was described in [4][5]. Shortly Real world voting systems have always had the property afterwards, and inspired by PaV, Chaum developed PunchScan that the vote (the information containing the voter’s choice) is (PS). See the site www.punchscan.org for demos and technical permanently destroyed. Newly-proposed protocols should have descriptions [6][7]. this property too. Computational privacy is hence not sufficient Both protocols have important advantages over [2]: a sim- for a voting protocol, as the computational assumption is pler ballot layout, and pre-printed ballots on which the voter likely to be broken in the future. Though this implies that the marks his preferences with a pen, thus ensuring that the voting correctness of the election outcome is “only” computational, machine does not learn the vote. This improvement implies we believe this is a sensible trade-off, since the authorities a significant leap forwards, since until then most e-voting would have to break the computational assumption before systems had the disadvantage that a machine learned how a the election has terminated in order to alter the election person voted, and protecting thousands of voting machines is result. Though it is very hard to estimate how difficult it is very difficult. to break a computational assumption fifty years from now There are also some important differences between PaV (computational privacy), it is easy to design a protocol based and PS. First, their ballot layouts are different, and so is the on a computational assumption that will not be broken in the mechanics of voting. But as we will show, these differences next few months (computational correctness). are marginal. Second, PaV uses decryption mixing as the underlying cryptographic primitive, whereas PS uses a bit C. Summary of results commitment scheme on a cleverly-constructed audit table We present a detailed comparison of Prˆet-`a-Voter and which is published on a web site, and that uses permutations Punchscan. Then we describe a variation that keeps the simpler to hide the links between the voters and the votes cast. This ballot layout of Prˆet-`a-Voter but borrows, and slightly simpli- is an important breakthrough since the commitment primitive fies, the cryptography from Punchscan. Using bit commitments is much simpler than the mixing primitive. Additionally, from that are unconditionally hiding and computationally binding, a theoretical point of view, PS makes a clear link between we obtain a conceptually simple election scheme that has com- commitment schemes and voting protocols, with interesting putational correctness, whereas its privacy is unconditional. An implications for unconditional (or everlasting) privacy. earlier version of this work was published as a four-page short Jeroen van de Graaf is with the Universidade Federal de Ouro Preto, Brazil. paper [11], which essentially corresponds to the contents of Manuscript received February 20, 2009; revised August 12, 2009. Section IV. 2 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY: SPECIAL ISSUE ON ELECTRONIC VOTING We claim that our protocol has the following properties, all protocol presented in [9] uses the a voting machine and the of which, except the first one, are inherited from both PaV ballot casting assurance techniques of Neff and Adida[15][16], and PS: resulting in a very different user interface. The protocol • Unconditional privacy of the ballot: The public view, presented in the second paper[10] bears some resemblance to including all receipts and all other data published on the one presented here, which is not surprising since both are the election web site, reveals no information (in the based on PunchScan. In fact, it seems that by applying our Shannon sense) about a voter’s choice. This implies that, observations about ballot layout, a simpler user interface for assuming that all unopened commitments are perma- Split-Ballot can be obtained, since both protocols require the nently destroyed after the final audit step took place, voter to perform an addition modulo the number of candidates we obtain everlasting privacy. This property is inherited on the ballot. See [14] for further discussion. from PS provided an unconditional commitment scheme Scantegrity [17] also uses a commitment scheme as the is used. PaV uses mixing, thus inherently providing only underlying cryptographic primitive, so it can also be modified computational privacy. to provide unconditional privacy. Scratch&Vote [18] strongly • Coercion-resistance: As a consequence of the previous relies on homomorphic counters for the ballot layout, and thus property, our protocol is immune to vote buying/selling can provide computational privacy only. schemes in the sense that a voter cannot prove whom she In [19], Popoveniuc and Vora present a very interesting has voted for. However, we have no satisfying solution comparison of various protocols, including PaV, PS and Scant- to the randomized coercion attack, in which a coercer egrity, but they do not address unconditional privacy. forces the voter to bring back a receipt with a mark in a specific location, effectively forcing the voter to cast a E. Outline of the paper random vote. In Section II we provide more details about commitment • Computational correctness of vote count: If the elec- schemes, and present the general model of voting. In Section tion authority passes the post-election audit steps, this III we provide a detailed description of the differences in the means that the vote count is correct, unless an extremely ballot layouts of Prˆet-`a-Voter and PunchScan, and demonstrate unlikely event has occurred or the authority has succeeded that these differences are insignificant from a practical point of in breaking, before the election ends, the computational view, despite the fact that the opposite has been argued ([16], assumption on which the commitment scheme is based. page 117). This statement is true independent of whether the author- In Section IV we present our protocol, by merging PaV ity tried to cheat and whether the programs that run the and PS as follows: we maintain PaV’s (simpler) ballot layout election are correct. but we borrow the underlying cryptography from PS. The final • Individual Voter Verifiability: Each voter receives a result is superior to both because, compared to PaV, it disposes receipt that she can compare with the image published of mixing, while, compared to PS, it results in a simpler ballot on the election web site. If this image is different or layout. absent, the receipt serves as a proof that the authority In Section V we state our assumptions, and present the is dishonest. properties of our protocol. Section VI presents variations and • Universal Verifiability: Any observer can verify that the extensions of our protocol, whereas Section VII demonstrates tally has been calculated correctly with overwhelming how the overall number of commitments used in the protocol probability. can be kept fairly small. D. Comparison to other work II. PRELIMINARIES As we advocate the position that privacy should be un- A. Commitment schemes conditional, we do not consider voting protocols based on A commitment scheme is a cryptographic primitive that homomorphic encryption and/or (re)encryption mixes which, implements the equivalent of the following functionality. In in fact, constitute the large majority of the voting literature. the commit phase, a Sender writes a certain string, x, on a To our knowledge, the first voting protocol that provides piece of paper, which he puts in an opaque envelope; he then unconditional privacy was published by Bos in chapter 3 seals the envelope and puts it on the table.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages10 Page
-
File Size-