Ticket granting. Voting S. Ticket counting

Transcription

1 Anonymous Secure E-oting over a Network Yi Mu and ijay aradharajan School of Computing & IT, University of Western Sydney, Nepean, PO Box 10, Kingswood, NSW 2747, Australia fyimu,vijayg@st.nepean.uws.edu.au Abstract In this paper, we propose two new anonymous secure electronic voting schemes that protect the privacy of the voters and prevent double voting. These schemes do not require any special voting channel and the communications can occur entirely over existing networks such as the Internet. The proposed schemes are based on ElGamal digital signature algorithm and can be applied to elections in a variety of situations ranging from an election in a small organization to a country. Key Words: Secure oting, Applied Cryptography. 1 Introduction Electronic balloting and voting can make the election process more convenient and eæcient ifitcan be achieved securely. Electronic voting raises several security issues such as privacy, fairness, veriæability and double voting. Some of these issues become further complicated if voter anonymity is required. As an open networked environment èe.g. Internetè is vulnerable to security attacks such as eavesdropping, masquerading, and illegal modiæcation and access, design of secure electronic balloting and voting systems over such networks is not an easy task. There have been a number of research publications that have addressed this problem proposing secure electronic voting systems that satisfy the above requirements at various levels ë1, 2,3,4,5ë. The protection of privacy of voters in an electronic balloting and voting system is viewed as one of the most important security requirements. In general, electronic voting systems can be classiæed into two types namely the non-anonymous and the anonymous. The ærst type strictly hides the content of votes in order to preserve the privacy of the voters ë3, 4ë. The theory behind this type of system uses secret sharing schemes ë6, 7ë and zero knowledge proofs ë8ë. The main drawback of these schemes is the computational complexity in vote counting procedures, which becomes prohibitive in large scale voting systems ë4ë. The second type of schemes protects the privacy of voters by hiding the identity of voters and leaves the content of votes in the clear, visible to the voting authority. Hence the complexity problem in counting votes in large scale systems is overcome in these systems. However, this type of schemes have to deal with the problem of double voting. From the best of our knowledge, the second kind of voting schemes has not been investigated so far. In this paper, we propose two new anonymous voting schemes based on a modiæed ElGamal digital signature scheme. The proposed systems ensure that the anonymity of voters is preserved while at the same time detecting double voting. The rest of this paper is organised as follows. Section 2 introduces the modiæed ElGamal digital signature scheme and describes the cryptographic primitives required for our schemes. Section 3 describes the voting environment and the security requirements. Section 4 describes our oting Scheme 1 which involves the use of a trusted authentication server. Section 5 discusses our oting Scheme 2 in which the level of trust on the authentication server is reduced compared to the ærst scheme. 2 Cryptographic Primitives This section presents the modiæed ElGamal's digital signature scheme and discusses its properties.

2 The security of ElGamal's digital signature ë9ë scheme is based on the diæculty of computing discrete logarithms in a ænite æeld. In this scheme, users in the system share a public key, while the signer has a secret key which he or she uses to sign messages. We assume that the signer is A and one of other users is B. The digital signature scheme is as follows: 1. To generate a key pair, A ærst chooses a large prime p 2Z p, and two random numbers, g 2Zp æ and k 2Z p,1. Then A calculates y = g k mod p; è1è where k is the secret key of A and fy; g; pg is the corresponding public key. Both g and p are public. 2. To sign a message m, A ærst chooses a random number r, such that r is relatively prime to p, 1 and then computes and a = g r mod p s = k,1 èma, rè modèp, 1è è2è è3è to form the digital signature fa; sg 2 Zp æ, where k,1 is the inverse of k. Note that we have made a small change in s. In the original ElGamal scheme, s = r,1 èm, kaè modèp,1è. The security of the modiæed scheme is equivalent to the original scheme. èsee Ref. ë10ë, where some ElGamal based signature schemes have been summarizedè 3. To verify the signed message, B checks y s a mod p? = g ma mod p: è4è If the equality holds, the signature is valid. The security of ElGamal's digital signature scheme is based on the diæculty of computing discrete logarithms in a ænite æeld. That is, it is computationally infeasible to calculate the secret key given the public key; similarly, knowing the one-time number a, it is computationally infeasible to compute r. Without the secret key k and random number r, it is computationally infeasible to produce a digital signature èa; sè. Each ElGamal signature computation requires a new value of r that must be chosen at random and the value of r cannot be used more than once. Theorem 1 For a given k 2 Z p,1, if a and r are used more then once for ElGamal signatures, k can be computed without prior knowledge of k. Proof: Assume that a and r have been used to generate ElGamal signatures s and s 0 with respect to the messages m and m 0 respectively. k can be computed by k = m0 a, ma s 0, s mod èp, 1è: è5è 2 Therefore, the value of a or r must have never been used before. We can employ this property to prevent an individual from using a certain data more than once, if the data is related to either r or a. For instance, in an electronic balloting process, avoter is not allowed to vote for a certain candidate more than once. If a voting ticket contains the information of r or a, multiple use of the ticket will reveal the secret key of the voter. In fact, this scheme can be used in any system which requires to protect against multiple use of a certain data item. 3 oting Environment Our on-line electronic voting environment involves at least the following parties : oters è sè, an Authentication Server èasè which is responsible for authenticating the oters and granting oting Tickets, oting Servers ès'sè that collect voting tickets from voters, and a Ticket Counting Server ètcsè, and Trusted Certiæcate AuthorityèAuthorities ècaè. Authentic and secret communications between voters and servers in the proposed scheme are based on asymmetric key cryptosystems. Therefore, voters and servers do not share any secret. The following requirements are to be met by the voting scheme. æ Anonymity of oters: Identities of voters must not be revealed to other voters and oting Server S. The authentication server

3 Ticket granting AS oting S S S Ticket counting Figure 1: Illustration of the oting Scheme. cannot map any voting ticket to the corresponding voter's identity, unless the voter has double voted. æ Secrecy of oting Tickets: The contents of a voting ticket should be secret and must be protected from unauthorized disclosure; while the contents are in the clear to oting Servers. æ Authentication between oters and AS: AS should know that the voters are legitimate for the given election and voters should know that AS is the authority which is issuing the voting tickets. æ alidation of oting Tickets: oting Server S is able to check the validity ofvoting tickets. æ Double oting: It should not be possible for avoter to vote more than once 1 ; if this occurs, then this can be detected and the identity of the voter revealed. Our voting scheme involves four phases : voting preparation, voting, voting ticket collection, and ballot counting. Each phase involves a sequence of steps and is described using a suitable protocol and algorithm. 4 oting Scheme 1 The oting Scheme 1 described in this section assumes a trusted Authentication Server AS. It is trusted to authenticate the users correctly as well as not to vote on behalf of any other voters. 1 In our case, double voting means to use a parameter for diæerent messages or votes. It is OK for a voter to send the same message or vote twice or more í treated as one vote. 4.1 oting Preparation The voting preparation phase involves obtaining a voting certiæcate from a trusted Certiæcation Authority and a valid voting ticket from AS. This phase is not anonymous; when requesting a voting ticket, the voter should prove his or her identity to the AS. The proof is based on a valid public key certiæcate and the voter's RSA digital signature on the request. All parameters in the voting ticket for a particular voter must be protected against unauthorized disclosure oting Certiæcate Assume that all parties hold a long term voting certiæcate which can be used for a number of elections. In fact, this could be the usual public key certiæcate that can be used for a variety of purposes such as electronic payment, as well as voting. Obtaining such certiæcates can be done via either a secure online channel or an oæ-line method suchasphysical access to a CA that could act as a local election server. Let Cert X be the certiæcate of X and let the RSA secret key í public key pair for X be denoted as èd x ;e x è. When requesting a certiæcate from a CA, a voter needs to generate a pair of RSA secret-public key fd v ;e v g and two large prime numbers; the product of the prime numbers forms a public modulo n, where d v e v = 1modçènè. A voting certiæcate, containing parameters such as the voter's identity, serial number, RSA public key, lifetime, timestamp and CA's identity, is signed by the CA using its secret key. The public key of the CA is assumed to be ëreally public" and widely accessible. For example, CA's public key can be accessible and broadcast via the Web Obtaining a oting Ticket The preparation of an ElGamal secret key í public key pair has been given in section 2. Here, we selectively use certain parameters in the El- Gamal algorithm to construct a voting ticket. It is reasonable to assume that AS is completely trusted by voters not to use voting tickets illegally. In order to ensure the anonymity of the voters, AS should not have any information on tickets and other parameters to be used in future

4 voting processes. This is achieved using blind signature schemes ë11, 12ë. We assume that all public key encryption and digital signatures are based on the RSA algorithm. The protocol for granting a voting ticket is as follows: 1. Before sending a request for a voting ticket to AS, needs to prepare the following parameters: x 1 ç gb ea mod n and x 2 ç ab e a mod n, where b is a blind factor and e a is the public key of AS. The voter sends the following request message to AS.! AS: ; AS; Cert ; èx 1 kx 2 ktè d v mod n, where t denotes a timestamp and k denotes concatenation of bits. 2. Upon receipt of the request, AS validates the signature èx 1 kx 2 ktè d v mod n, chooses k at random èk 2 Z p,1 è, encrypts x 3 = èkktè ev mod n, and computes the following digital signature. x 4 ç èx k 1 x 2è da =èyaè da b k+1 mod n; where y = g k and d a is the private key of AS. Then AS sends these blindly signed parameters to : AS! : AS; A; x 3 ; èx 4 ktè ev mod n. x 3 and x 4 have been encrypted with the public key of the corresponding. Note that k no longer servers as the secret key of the voter, but the unique alias of the voter. k must be known to both AS and the corresponding voter. In the AS database, k is the unique index pointed to the real identity of the voter. We have assumed that k is chosen by AS; however it can be also chosen by the voter and is then sent toas. 3. decrypts x 3 to obtain k and removes the blind factor b k+1 to obtain the following: x 0 4 ç èyaè d a mod n; To construct a voting ticket, needs to specify the candidate to whom he or she wishes to vote for. This information is included in m in a standard format that is assumed to be followed by all the voters. m = fcandidate 1kY eskcandidate 2kNok:::g The oting Ticket is now constructed as T ç fakgkykx 0 4kskmg, where s = k,1 èma, rè. AS stores k along with the identity of the voter, voter's public key certiæcate, and èx 1 kx 2 ktè d v mod n. The number g should be diæerent for each voter. This condition is important as shown by Theorem 2 below. Theorem 2 Consider two voters 1 and 2. If both of them use the same value of g and diæerent values of r then 1 and 2 can double vote by exchanging the signed value of a. Proof: Let 1 have r and 2 have r 0 èr 6= r 0 è. Then 1 has a = g r mod p and 2 has a 0 = g r0 mod p. After exchanging a and a 0 along with the associated r and r 0, 1 can compute: s 0 = k,1 èma 0, r 0 èmodèp, 1è; which is diæerent from s = k,1 èma, rè modèp, 1è. Using Equation è5è, we ænd k 6= m0 a 0, ma s 0, s mod èp, 1è: The case for 2 is similar. In order to overcome this attack using common g, we have introduced the digital signature, x 0 4 where x 0 4 ç èayèda mod n; x 0 4 provides a link between k; g; a; and r which ensures that these values have to be used at the same time and hence the common g attack is overcome. AS must also ensure that there are no voters who share the same value of k oting and Collecting Tickets Once a voter obtains a valid voting ticket from the AS, voting can immediately start. The voter votes by sending the oting Ticket over a network to a oting Server S. 1. The voter needs to æll out the message part of the voting ticket, m, to create a valid ticket. The voter then sends the ticket to S:! S: S; èt ktè es mod n.

5 2. Upon receipt of T, S decrypts the ticket with its secret key and validates a; g; and y byverifying AS's signatures on x 0 4. Then S validates s using y s a mod p = g ma mod p. The voting process is anonymous in that the voter never sent his or her identity to the oting Server. The main task of a oting Server is to ensure the authenticity ofvoting tickets. This is done bychecking AS's signatures on x 0 4 and checking whether or not the parameters g; a and y have been used before by checking its own database. However these checks are not suæcient toprovide the assurance that the voting ticket has not been used with other oting Serverèsè; hence, a further check needs to be done by the Ticket Counting Server. Note that voting tickets are untraceable and do not reveal any information about the voters; while the oting Server can still ensure the authenticity of the received voting tickets. This is because all important data used in the construction of the ticket were blindly signed by the AS. 4.3 Counting Tickets oting Servers store voting tickets in voting boxes; for instance, each voting box might contain 100 such tickets. Once a box isfull, it is sent tothe Ticket Counting Server ètcsèover the network. The counting of tickets is done by TCS. TCS checks for double voting where a voter may vote more than once with diæerent oting Servers. Double voting can be detected by checking whether the parameters èa; g; yè have been used more than once. Following this check, the balloted ticket is included in the ticket counting process where votes for each of the candidates are accumulated. This is done by examining the balloting information in m. Furthermore, if double voting occurs, then using Theorem 1, the TCS can compute k using the information from the two oting Tickets and sends k to AS. AS can then ænd the identity of the voter. 5 oting Scheme 2 In Scheme 1, AS is trusted not to generate any voting ticket without voter's consent and not to give k to others including S and TCS. The main diæerence between this scheme and the ærst one is that in this scheme the level of trust on the AS is reduced so that the above mentioned requirements for AS are no longer needed; while the anonymity of the voters is still preserved. We will not repeat the parts which are same as those in oting Scheme Obtaining a oting Ticket In this scheme, the AS does not have complete information on the ElGamal secret key which has been used as the voter's alias mapping the voter's identity in the oting Scheme 1; the AS shares only a portion of the secret key. In other words, AS cannot generate a voting ticket for any voter without the voter's consent. The protocol for granting tickets is as follows: 1. Before sending a request to AS for a oting Ticket, prepares the following parameters: x 1 ç gb ea mod n, x 0 1 ç gk1 b ea mod n, and x 2 ç ab ea mod n, where b is a blind factor and k 1 2Z p,1 is a secret parameter known only to the voter. The voter sends the following request to AS.! AS: ; AS; Cert ; èx 1 kx 0 1kx 2 ktè dv mod n. 2. Upon receipt of the request, AS validates 's signature, chooses k 2 at random èk 2 2 Z p,1 è, computes x 3 =èk 2 ktè ev mod n. and computes the following digital signatures. x 4 ç èx k2 1 x0 1 x2k2 1 x 0 1 x 2è da = èy 1 y 2 aè da b 3èk2+1è mod n; where we have assumed that k = k 1 + k 2, k 0 = k 1 +2k 2, y 1 = g k, and y 2 = g k0. AS then stores k 2 along with 's identity inits database and sends the blindly signed x 4 to : AS! : AS; ; x 3 ; èx 4 ktè ev mod n. Note that x 4 is also important for eliminating the common g attack, since it provides a link amongst r;a;g;k, and k decrypts x 3 to obtain k 2, computes k = k 1 + k 2 and k 0 = k 1 +2k 2, computes y 1 and

6 y 2, and removes the blind factor b 3èk2+1è to obtain: x 0 ç 4 èy 1y 2 aè d a mod n: The voting ticket is now constructed as T çfakgky 1 ky 2 kx 0 6ks 1 ks 2 kmg; where s 1 = k,1 èma,rè and s 2 = k 0,1 èma, rè. 5.2 oting and Collecting Tickets The voting process is similar to that given in oting Scheme 1. Here, we omit the details. Please note that this time it is not possible for the AS to learn the the identity of the voter, even if AS; S's, and T CS collude. This is because the AS does not have complete information on k and does not know the mapping between the voter and k 2. However, when a double-voting occurs, the AS can immediately compute k and k 0 in terms of Equation è5è. With k and k 0, AS can solve k = k 1 + k 2 ; k 0 = k 1 +2k 2 ; to obtain k 1 and k 2, which then leads to the identity of the voter. 6 Concluding Remarks In this paper, we have proposed two secure anonymous electronic voting schemes which use a modiæed ElGamal digital signature algorithm. With these schemes, if a voter votes only once, then his or her identity will never be discovered by the oting Servers and Ticket Counting Server. The oting Scheme 1 assumes the existence of a trusted AS. In oting Scheme 2, the level of trust in the AS is reduced so that voter anonymity holds even if oting Servers, Ticket Counting Server and Authentication Server collude, since the AS has access to only part of the information on the unique alias of a voter. In fact, the security of our voting schemes is equivalent to that of the ElGamal digital signature. That is, if a voter only votes once, then discovering the voter's identity is equivalent to discovering the signer's ElGamal secret key. References ë1ë P. G. Neumann, ësecurity criteria for electronic voting," in Proceedings of the 16th national computer security conference, ènaltimore MDè, pp. 478í482, ë2ë J. Borrell and J. Rifça, ëan implementatable secure voting scheme," computer & security, vol. 15, no. 4, pp. 327í338, ë3ë R. Cramer, M. Franklin, B. Schoenmakers, and M. Yung, ëmulti-authority secretbollat elections with linear work," in Lecture Notes in Computer Science 1070, èeu- ROCRYPT'96è, pp. 72í83, Springer, Berlin, ë4ë R. Cramer, R. Gennaro, and J. Borrell, ëa secure and optimally eæcient multi-authority election scheme," in Lecture Notes in Computer Science 1233, èeurocrypt'97è, pp. 103í117, Springer, Berlin, ë5ë A. Fujioka, T. Okamoto, and K. Ohta, ëa practical secret voting scheme for large scale elections," in Lecture Notes in Computer Science 718, èeurocrypt'94è, pp. 244í251, Springer, Berlin, ë6ë A. Shamir, ëhow to share a secret," Communications of the ACM, vol. 22, pp. 612í613, ë7ë T. P. Perdersen, ënon-interactive and information-theoretic secure veriæable secret sharing," in Lecture Notes in Computer Secience 576, pp. 129í140, Advances in cryptology - CRYPTO'91, Springer-erlag, Berlin, ë8ë M. O. Rabin, Digital Signatures. Academic Press, New York, ë9ë T. ElGamal, ëa public-key cryptosystem and a signature scheme based on discrete logarithms," in Adances in cryptology - CRYPTO'84, Lecture Notes in Computer Secience, pp. 10í18, Springer-erlag, Berlin, ë10ë P. Horster, M. Michels, and H. Peterson, ëmeta-elgamal signature schemes," in

7 Proceedings of the second ACM Conference on Computer and Communications Security, ènew Yorkè, November ë11ë D. L. Chaum, ëuntraceable electronic mail, return addresses, and digital pseudonyms," Communications of the ACM, vol. 24, no. 2, pp. 84í88, ë12ë D. Chaum, A. Fait, and M. Naor, ëuntraceable electronic cash," in Advances in Cryptology, CRYPTO '88 Proceedings, pp. 319í 327, 1990.