Master of Science Project. An Internet-Based Voting System for Student Government Elections

Transcription

1 Master of Science Project An Internet-Based Voting System for Student Government Elections Sungho Maeung Computer Science Department Rochester Institute of Technology July 27, 2005 Chairman: Prof. Stanislaw P. Radziszowski Date Reader: Prof. Christopher M. Homan Date Observer: Prof. Zack Butler Date 1

2 2

3 1 Abstract Recent studies, in particularly Fujioka et al and Caltech- MIT voting technology, argue that traditional voting systems do not encourage increased voter participation due to constraints in time, location, accuracy, and, accessibility. To ensure the rights of a democratic society and to enhance and secure the voting rights of citizens by surpassing all the limitations of the traditional voting system, the development of an electronic voting system serves as an attractive solution. Research on secure electronic voting systems has been conducted for at least the past two decades. We propose to develop an internet-based voting system, called the Rochester Institute of Technology Student Government Election System (SGEES) based on the work of Damgård et al. This voting scheme uses efficient honestverifier zero-knowledge, which unlike previous Fujioka et. al and Cramer et. al election schemes, are both easy to compute and verify for both voters and authorities. Our proposed electronic voting system allows convenient and confident voting while maintaining the accuracy of election results. This project addresses the security requirements for electronic voting over the Internet, including privacy, completeness, soundness, receipt-freeness, and universal verifiability. In particular, we research the feasibility of the voting scheme and protocols by studying three related cryptographical theories: homomorphic encryption, efficient honest-verifier zero-knowledge proofs, and threshold decryption cryptosystem.

4 CONTENTS 2 Contents 1 Introduction 4 2 Cryptographic preliminaries Homomorphic encryption Homomorphic ElGamal style encryption Zero-knowledge proofs Proofs of knowledge Integer commitment Honest-verifier zero-knowledge proofs Converting interactive proof to non-interactive proof Bulletin board Threshold decryptions system Notation and requirements Secret sharing System architecture Voting protocol Use cases New account Login and open account Browse candidates and vote candidate Process received ballots User interface Client software Registration Validation Tallying Three tier structure Experiments Performance Security level Registration Validation Modulus

5 CONTENTS 3 5 Conclusions 33 6 Annotated References 34 7 Appendix A : Threshold cryptosystem and DKG Communication models Distributed key generation Pedersen s distributed key generation Distributed key generation protocol Generating x Extracting y = g x mod p Verification using honest-verifier zero-knowledge proofs Decryption Canny and sorkin s distributed key generation Additional definition Sparse matrix DKG [3] Master algorithm Generate a secret key x Reveal a public key, y = g x mod p Sparse evaluation matrix

6 1 INTRODUCTION 4 1 Introduction The concept of Internet-based voting promises convenience for voters and an inexpensive voting method for a modern democratic society. Researchers have proposed Fujioka and Cramer s voting schemes [12, 4] that, theoretically support Internet-based voting. However, the difficulty in implementing the necessary security requirements, led to only a few actual schemes for supporting Internet-based voting, and these make strong assumptions about the voting environment, such as anonymous or untappable communication channels [17]. In order to implement an electronic voting system, the following security concerns must be addressed: Eligibility: Only an eligible voter can cast a vote, and each voter can only cast a single vote. The vote of an invalid voter is not counted. Privacy: Votes remain anonymous; each individual vote is protected against coercion. Different ballots are indistinguishable irrespective of the contained votes. Completeness: All valid votes must be secret and be counted in the final tally. Unreusability: A voter cannot vote twice. Robustness: The voting system must be working properly even though the partial failure of the system occurs. Universal verifiability: A third party can check whether or not ballots are correctly cast, and only invalid ballots are ignored. Receipt-freeness: A voter cannot prove which candidate he voted for. Consequently, voters are not able to sell their votes to the buyers. The most crucial of these security properties to practical voting schemes are universal verifiability and receipt-freeness. Hirt s scheme [17] proposes a solution for receipt-freeness using homomorphic encryption with physical untappable channel assumption between voters and authorities. It is the first practicable receipt-free voting scheme with

7 1 INTRODUCTION 5 which any voter will neither obtain nor be able to construct a receipt proving the content of the vote. One way to satisfy these security requirements is to adopt a set of cryptographic protocols, namely a bulletin board [6] and designated verifier proofs [1]. A bulletin board allows voters to correspond with trusted authorities via public channels. The board also corresponds to a threshold cryptosystem to verify universally at the tallying step. The designated verifier proofs provide the ability for the voter to perfectly simulate a receipt for the candidate of the coercer s choice. The combination of those concepts can satisfy the security requirements. Two decades of voting schemes addressing these requirements can be classified in the following different approaches: Blind signature and anonymous mix-net channels [12] Homomorphic encryption and threshold cryptosystem [4, 17] The general idea of the blind signature and mix-net channels are as follows: a voter encrypts a content of the ballot and then interacts with an authority for validation whether or not the voter is eligible to vote and has not yet voted. The authority then issues a blind signature on the ballot so that the voter gains the authority s digital signature without revealing the contents of the ballot. Without interacting with the authority, the voter cannot obtain its signature so that duplicated votes can be ignored and prevented. The voter then submits his/her ballot to tally authority for counting votes through anonymous channels, called mix-networks. However, due to the difficulty of implementation and the complexity of the computation of anonymous channels may produce a significant delay in the final result. The more recent approach is homomorphic encryption. During registration steps, a voter receives a corresponding public-key and digital signature from a registration s authority. A voter encrypts his/her vote using the public key, and simply submits his/her encrypted vote with the digital signature to the bulletin board authority to prove that the voter is eligible to vote and has not voted before. The proof of the knowledge of the encrypted vote is verified by zero-knowledge proof that the encryption contains a valid formatted vote without revealing the contents of the encrypted ballot. Due to the homomorphic property, all encrypted votes can be computed efficiently. This produces

8 1 INTRODUCTION 6 one encryption of the result which is a combined product of encryptions that contain the sum of the contents of the ballots. The final result of decryption is recovered by a threshold decryption cryptosystem using a secret shared among a set of authorities. Because the threshold cryptosystem provides universal verifiability and robustness properties, each authority receives a share of the private key and then they cooperate together to decrypt the final result. In practice, the second approach is more suitable for electronic voting than the first one due to the simple computation of the homomorphic encryption. We proposed to study and implement a practical voting system based on homomorphic encryption with a threshold decryption cryptosystem using efficient honest-verifier zero-knowledge proofs for correctness of the encrypted votes. Furthermore, we state the theoretical soundness of our scheme and propose the implementation of this scheme for the RIT Student Government Election System. In the process of implementation, we explore how to improve the Damgård et al voting scheme [6] to satisfy all security requirements such as universal verifiability and honest-verifier zero-knowledge proofs. We also address and document the limitations in all components of our system. This project is organized as follows. In Section 2, we review cryptography primitives for security requirements of an electronic voting system illustrated in the literature and a voting protocol based on the work of Damgård et al. voting scheme. Section 3 introduces cryptographic components to design the Internet-based voting system: the architecture of the voting system, implementation and the cryptographic library. In Section 4, we provide experiments of the voting protocol, and reveal the performance analysis. Finally, concluding remarks and security levels are made in Section 5. The references of the voting system is made in Section 6. Appendix A contains detailed information about the distributed key generation protocol based on the threshold cryptosystem.

9 2 CRYPTOGRAPHIC PRELIMINARIES 7 2 Cryptographic preliminaries This section describes the security requirements of cryptographic primitives for the Internet-based voting system based on the Damgård et al scheme [6, 7]. The main cryptographic protocols for our voting scheme are homomorphic encryption, honest-verifier zero-knowledge proofs of correctness of encrypted ballots, and a threshold decryption cryptosystem. We describe these terms in further more detail below. 2.1 Homomorphic encryption Homomorphic encryption establishes universal verifiability in the election system by generating a new encrypted vote from the product of two votes. The product of the ciphertexts of any two votes is the ciphertext of the sum of the votes. The idea behind the homomorphic property is that ciphertext of the sum of the ciphertexts of the votes can be decrypted but not individual votes. Results of the election can, with the help of the appropriate private key, be computed efficiently. A general definition is as follows. For any instance E of the encryption scheme and given messages m 1 and m 2, E(m 1 ) E(m 2 ) = E(m 1 m 2 ) (1) where and are the product and the sum of entities the specific definition of depends on the domain. Homomorphic encryption is important for the construction of voting protocols. The ElGamal cryptosystem can be modified to this homomorphic encryption under the generalized Decision Diffie-Hellman assumption (DDH) and using the standard binomial expansion [6] Homomorphic ElGamal style encryption The ElGamal encryption system [11] for a voting scheme was first described by Cramer et al [4]. But, with the increase in the number of candidates, the result of the decryption is very expensive which has an adverse computational effect. Its complexity is Ω(M (l 1)/2 ), where M is the number of voters and l is the number of candidates. This problem can be resolved by using Paillier s cryptosystem [20] which satisfies homomorphic property and has low polynomial complexity. Because of

10 2 CRYPTOGRAPHIC PRELIMINARIES 8 this computation, Damgård et al. provides another approach to resolve efficiently the decryption computation of ElGamal cryptosystem under DDH assumption with standard binomial expansion. Consider an ElGamal style encryption system and the generation of security key parameters, encryption E, decryption D, and homomorphic property. They are briefly described as follows [7]: Key Generation: An element g Q n, where Q n is a subgroup of all squares of a ring R = Z n, where n = pq is the RSA modulus of k bits with p = 2p + 1 and q = 2q + 1 where p, q, p, q are primes. gcd(p 1, q 1) = 2, g has Jacobi Symbol 1 (quadratic residue element). A private key is x Z τ, where τ = Q n and order of g. (n, g, h) is the public key where h = g x mod n. Encryption: Choose a message m Z n s r Z n. where s > 0 and a random E(m, r) = (g r mod n, (h r mod n) ns (n + 1) m mod n s+1 ) = (u, v) Decryption: Given a ciphertext (u, v), s can be retrieved from the length of the ciphertext. The decryption can be found as D(E(m, r)) = v(u x mod n) ns = ((n + 1) m (g xr mod n) ns (g rx mod n) ns )mod n s+1 = (n + 1) m g rx (g rx ) 1 mod n ns+1 = (n + 1) m mod n s+1 After the decryption, we still have to solve an instance of the discrete logarithm problem to retrieve the actual message m from w m. Damgård et al. resolved this by using a ring where the discrete logarithm in R base w was easy to compute using standard binomial expansion. A concrete example of algorithm and protocol can be found in Jurik [9]. Homomorphic property: The encryption scheme provides homo-

11 2 CRYPTOGRAPHIC PRELIMINARIES 9 morphic property for m, m Z n s, all r, r Z n, and w = (n + 1) E(m, r) E(m, r ) = (g r g r, w m h r w m h r ) = (g r+r, w m+m h r+r ) = E(m + m, r + r ) The ElGamal style cryptosystem requires that the scheme uses a secret discrete logarithm so that n and g can be generated independently. The scheme can generate several different public h values such as g x 1, g x 2... using the same n. 2.2 Zero-knowledge proofs Zero-knowledge proofs based on an interactive proof system allow a prover to convince a verifier that it has secret knowledge to a verifier without revealing the prover s secret itself. In the voting system, a prover (voter) wants to convince the verifier (Bulletin board) of the correctness of an encrypted vote in such a way that the verifier cannot learn the prover s ballot information. General zero-knowledge proofs are not suitable for this purpose due to the number of rounds with large computational and communication complexity. To reach a conclusion, Damgård proposed efficient honest-verifier zero-knowledge proofs of knowledge having a constant number of rounds. His results can also be applied to non-interactive proofs such as those relying on a cryptographic hash function h based on Fiat-Shamir heuristic - protocols [6]. Honest-verifier zero-knowledge proofs can also show the validity of votes encrypted via a homomorphic encryption scheme during the tallying. In this section, we take a look at the basic concept of zero-knowledge proofs and how the validity of encrypted votes can be proved in zeroknowledge based on the Damgård scheme. The validity of encrypted votes is referred to the verification of valid context of a ballot s form in zero-knowledge. This technique is implemented by the concept of multiplicative relationships among the encrypted messages. We present an efficient zero-knowledge proof of knowledge of the Damgård scheme and how it shows the correctness of votes corresponding to where a voter can select either one candidate or multiple candidates on a ballot. In order to analyze the scheme, we first present the basic terminology and

12 2 CRYPTOGRAPHIC PRELIMINARIES 10 concepts such as proofs of knowledge, integer commitment, and multiplicative relationships in honest-verifier zero-knowledge proofs. Then we show how to prove the correctness of an encrypted vote for selecting one candidate or multiple candidates in zero-knowledge Proofs of knowledge Proofs of knowledge are proofs in which the prover has some knowledge of an entity. We can define some abstract properties of the proofs of knowledge of the following form for P, V, (x, w) R, where P is a prover, V is a verifier, x is a common input to a prover, w is a witness as a private input to the P, and R is a binary relation. P knows some w and wants to prove this fact to V if P can be used to compute it efficiently. But with knowledge error of the probability, k, P convincing V without revealing w is negligible probability for the (x, w) R. The proofs of knowledge will be concerned with the following three-movements called - protocol : Prover(P) (x, w) R r r R P 1 (x, w) = (m, r) = a e P 2 (x, w, m, r, e) = z a e z Verifier(V) (x) a V 1 (r) = e V 2 (x, z, a, e) =?verify where P 1, P 2, V 1, V 2 are polynomial algorithms or machines to compute the proofs of knowledge and r is a random number. The following properties of proofs of knowledge implemented as above are satisfied: Completeness: the verifier V always accepts with high probability if the honest prover P knows some w and can submit the answer relating to (x, w) R. Special Soundness: if the prover P is given two different transcripts (a, e, z) and (a, e, z ) from the common input x, the prover can extract and efficiently compute a witness w such that (x, w) R.

13 2 CRYPTOGRAPHIC PRELIMINARIES 11 We add one more property called the special honest-verifier zero-knowledge, then the prover has the ability to simulate a transcript which follows the three steps without helping the verifier and w. The prover can produce a proof such that (x, w) R in zero-knowledge. That is zero amount or no information through the communications about P s witness w is disclosed to the verifier V. Below is the property of zero-knowledge for proofs of knowledge. special honest-verifier zero-knowledge: The conversation can be simulated between the honest prover and the honest verifier without knowing a witness w such that (x, w) R. If the verifier is a dishonest verifier, the property of zero-knowledge will be broken because it is possible to send an unbound polynomial challenge e by the dishonest verifier. For the prover it is difficult to compute the answer in polynomial time using the e which it gives the prover, and cannot simulate a transcript with the original probability of distribution. In order to satisfy the property of zero-knowledge, the verifier must be an honest verifier Integer commitment First, we assume that there are a committer and a verifier to communicate with each other through insecure channels. The basic idea of functionality in an integer commitment is that the committer, for example, wants from to commit in private a secret s from a set M to the verifier. The commitment has two important properties; hiding occurs when the verifier cannot compute s from the commitment, and binding meaning that the committer cannot change his contents after it is committed to. Later, he can open the commitment to reveal s to convince the verifier that it is the same as the content of the value was originally committed to. The commitment scheme based on a group or a ring allows the committer to perform with arbitrary size integers under an abelian group within certain properties. It shall come up with the small amount of information from the commitments that can be produced efficiently for communication and complexity computation. It is also difficult to compute the commitment s order. Finally, the committer can prove in zero-knowledge without revealing a secret value s, that he knows how

14 2 CRYPTOGRAPHIC PRELIMINARIES 12 to open a given commitment and, especially, that he knows the value, s, committed to. That is why the commitment scheme can be used with zero-knowledge proofs. We present a homomorphic integer commitment for our scheme in zero-knowledge based on the Damgård and Lipmma schemes [6]. In order to implement that, a set of space has an algebraic structure such as a ring or a group, and then it can have a multiplicative relationship to compute the validity of the ballot format in zero-knowledge proofs so that the committer can prove the knowledge of committed values and the ciphertexts. We show the homomorphic integer scheme under the honest-verifier zero-knowledge proofs in the next section Honest-verifier zero-knowledge proofs In the zero-knowledge proof, the voter wants generally to convince the bulletin board of the correctness of the encrypted vote without revealing the content of the vote. As we mentioned in the proof of knowledge, we use -protocol to prove in zero-knowledge the correctness of the encrypted vote using a multiplicative relationship under the homomorphic integer commitment scheme. We use the homomorphic integer commitment scheme based on the Damgård-Fujisaki commitment [8]. The key parameters are the same as in the homomorphic encryption section such that n is chosen as n = p q where p and q primes of the RSA modulus, g and h provides squares in a fact that the committer does not know about log g h and log h g. The homomorphic integer commitment scheme is defined as follows: m is a message and r is a random number. com (n,g,h) (m; r) = g m h r mod n = c Using the commitment scheme, we can provide zero-knowledge proofs for knowledge that a commitment and a ciphertext contains the same element modulo n and multiplicative relationships between commitments to prove that the ciphertext contains a valid vote. The proof of knowledge for a ciphertext containing a valid vote on multiple candidates is as follows [6]:

15 2 CRYPTOGRAPHIC PRELIMINARIES 13 Common Inputs: M = p 2 where M is the number of voters and p is a prime. Secret Inputs for Prover : 0 j 1 <... < j N < L and r E R pk such that E = E pk (M j M j N ; r E ), where L is the number of candidates, r E is a random number for the encryption function, R pk is a randomizer space, and E pk is an encryption function. Initial Message: r 1,..., r N R Z n r 1,..., r N R Z n c 1 = com K (p j 1 ; r 1 ) c 1 = com K (p j 2 j 1 1 ; r 1) c N = com K (p j N ; r N ) c N = com K(p L j N 1 ; r N ) d 1,..., d N R Z n γ R Z n r d1,..., r dn R Z n r d1b,..., r dnb r γ R Z n r γ R Z n Send to Verifier: c d1 = com K (d 1 ; r d1 ) c d1b = com K (d 1 p j 2 j 1 ; r d1b ) c dn = com K (d N ; r dn ) c dnb = com K (d N p L j N ; r dnb ) c γ = com K (γ; r γ ) E γ = E pk (d 1 p j d N p j N + γ mod n; r γ) Challenge to Prover: Select e at random from {0,..., 2 t 1} Answer to Verifier: Verification: f 1 = ep j 1 + d 1,..., f N = ep j N + d N z 1,1 = er 1 + r d1,..., z 1,N = er N + r dn z 2,1 = pf 1 r 1 er 2 r d1b,..., z 2,N = pf N r N er N+1 r dnb z 3 = f 1 r f N r N + r γ z 4 = er E + r γ D = e(m j M j N ) + d 1 p j d N p j N + γ com K (f 1 ; z 1,1 ) = c d1 c e 1,..., com K (f N ; z 1,N ) = c dn c e N c e 2c d1b com K (0; z 2,1 ) = (c 1) pf 1... c e N+1 c d Nb com K (0; z 2,1 ) = (c N )pf N com(d; z 3 ) = c f c f N N c γ

16 2 CRYPTOGRAPHIC PRELIMINARIES 14 E pk (D mod n; z 4 ) = E e E γ Converting interactive proof to non-interactive proof In order to archive non-interactive proofs, the prover only needs to challenge random bits e generated by the verifier. If the prover can generate the challenge of random bits instead of the verifier, the whole interactive protocol can become non-interactive because the prover can use the hash function h to create a challenge e such as e = h(x, a), where x is a common input and a is an initial message in the honestverifier zero-knowledge proofs. 2.3 Bulletin board A bulletin board is a public broadcast channel with memory, which is used in our voting system for all communication between voters and authorities. Any information on the bulletin board can be read by any third party and it can be monitored publicly. The bulletin board, however, does not allow any party to erase any information on the board. Only a valid voter can append an encrypted vote in his/her part of the board section. Each column of the bulletin board for a voter consists of four fields: challenge, response, ballot, and a proof as follows. Challenge field: The verifier posts the challenge value. Response field: The voter gives the response value to the verifier. Proof field: The verifier propels the proof of validity for the final ballot. Ballot field: The voter posts the final ballot. The bulletin board will execute the interactive proof of validity with voters in the challenge, response, and proof fields during the voting scheme. At the end of the validity proof, the bulletin board posts the proof of validity of the final ballot on the ballot field. In order to gain access to the various fields of the bulletin board, each voter must be identified by a digital signature.

17 2 CRYPTOGRAPHIC PRELIMINARIES Threshold decryptions system In a (t, n)-threshold scheme a trusted party selects a secret key x and distributes shares of x to n members. Any group of t members that pool their shares should then be able to recover the secret x, but no t 1 members can do so. The (t, n)-threshold cryptosystem based on the Lagrange interpolation was developed by Shamir[13] in If there are less than t members, then they cannot obtain any information about the secret x. The power to regenerate a valid secret key can be shared and the result can be decrypted without knowing the shared secret keys. The main components of a threshold decryption model are as follows: A key generation protocol: The trusted third authority distributes the private/public keys to members. A decryption protocol based on a discrete-logarithm assumption using a threshold cryptosystem: To decrypt a ciphertext c a master server forwards the ciphertext to the member servers. Using their shared secret keys, each member server runs the decryption algorithm and outputs a part of decryption c with the validity proofs. Finally, the master server uses the combining algorithm to decrypt the ciphertext only if the partial decryptions are valid Notation and requirements In the notation we define that p and q are large primes such that q p 1, G q is the unique subgroup of Z p of order q, and g is a generator of G q. Its security is based on a discrete-logarithm assumption to generate random secret shares for uniformly distributed value x R Z q, make public key value y = g x. We require that a master server sends initial input parameters to all members through the broadcast channel i.e. a triple (p, q, g). The process of the computation for a trusted party is executed by the key generation protocol to generate shared secret keys x i Z q with validation, and then makes the public key.

18 2 CRYPTOGRAPHIC PRELIMINARIES Secret sharing The basic approach for a threshold cryptosystem is based on secret sharing. It can be described how A secret value can be split into pieces in such a way that any small set of pieces gives no information about the secret, but any large set of pieces uniquely reconstructs the secret. The sharing is based on Shamir s scheme [13]. The scheme uses polynomial interpolation y = f(x) of degree t 1, which is uniquely defined by t point (x i, y i ) with distinct x i s. The Shamir s scheme is briefly described below: Secret Sharing The dealer P selects a random polynomial f(x) of degree t 1 to share a secret key, s, as follows: f(x) = a 0 + a 1 x + + a t 1 x t 1 where a j R Z q, j = 0,..., t 1, and a 0 = s. Then, the dealer assigns a unique non-zero element α i R Z q to each member P i, and computes shared keys s i = f(α i ) for i = 1,..., n and sends to each member P i securely. If there are less than t shares s 1, s 2,..., s l, these shares contains no information about the secret s due to the Lagrange interpolation. Secret Reconstruction In order to reconstruct the secret key s, each member P i sends his share s i of the value s received from the dealer P who can reconstruct the secret key. The dealer uses Lagrange s interpolation which gives the following expression: t t x α j f(x) = s i α i α j i=1 j=1,j i and it computes the secret key s as follows: t s = γ i s i = f(0) i=1 where γ 1,..., γ n are given by γ i = t j=1,j i α j α j α i

19 3 SYSTEM ARCHITECTURE 17 3 System architecture Now we describe the architecture of the RIT SGEES voting system. The SGEES voting system is divided into three main components: registration, validation, and tallying. We assume that the voters trust the registrar, bulletin board and key share master servers completely. The student information server (SIS)in Figure 1 already provides a voter s user id and password to the registrar server to verify eligible voters. We use the cryptographic primitives as described before such as ElGamalstyle encryption, honest-verifier zero-knowledge proofs, and the decryption threshold system. As shown in Figure 1, the RIT SGEES voting system in general consists of five parts; voter, registrar, bulletin board, key share master (trusted admin server), and key share workers (tally servers). Use cases are presented to identify the functional requirements for the main components as shown in Figure 2. Our system in general has the following features. 1. A voter s client application provides a user-friendly interface. 2. Trusted authorities allows the voters to be authenticated via their votes, using zero-knowledge proofs. 3. The votes are securely transmitted from the voters to the tallying servers via the bulletin board without revealing any voter s private information. 4. The tallying servers counts the ballots securely and prints the results of the election on the bulletin board. 5. The client is executed on the PC of the Internet enabling the communication with the authority, to cast the vote and verify the final tally. 6. Distributed servers verify the voter s vote, collect, and count them correctly.

20 3 SYSTEM ARCHITECTURE 18 Figure 1: RIT SGEES voting system architecture

21 3 SYSTEM ARCHITECTURE Voting protocol We choose the Damgård et al voting scheme [6] for our SGEES voting system since it is efficient in terms of computation available for large scale voting. The basic concept of our security system is based on the difficulty of a discrete logarithm problem. The Damgård et al voting scheme inherits most of the security requirement and properties of Ronald et al. scheme [4], but the main differences are the ElGamal-style encryption scheme and the use of a threshold decryption scheme. The relation between the voter s identity and the ballot is sealed by the honest-verifier zero-knowledge proofs using the integer commitment scheme. The ballot is sent through an anonymous channel, so no one can see the voter s contents. The main part of the voting protocol is that voters does not need to reveal private information to the tallying servers to open their ballots because they encrypt their votes with the tallying s public key and the ballots are assured because malicious tallying servers that are less than threshold t can not decrypt the ballots during the process. 3.2 Use cases This section describes the SGEES voting system s functional requirements as shown in Figure New account Goal The Registrar obtains voter s user id and password from SIS to activate the voter s privileges. For this project these privileges include the ability to commit encrypted ballots for the election vote. Prerequisites The voters are already registered in the Registrar s system. Steps 1. The Registrar server obtains all of the voter s user id and password information. It creates a digital signature associated with each voter.

22 3 SYSTEM ARCHITECTURE 20 Figure 2: Use Cases: SGEES Voting System

23 3 SYSTEM ARCHITECTURE The Registrar and BulletinBoard share the voter s information. 3. The Registrar receives public keys from KeyShareMaster see Figure Login and open account Goal The voter wishes to login into the Registrar s server using his/her user id and password, and then each voter receives tally s public key and digital signature. Prerequisites The voters are valid users on the Registrar and BulletinBoard. Steps in Figure 4 1. The voter, using a VoterMain program, logs in to the Registrar server. 2. The Registrar server validates the voter using the user id and password. 3. The Registrar generates private and public values for a digital signature and receives a public key for the tally server. 4. The Registrar returns the public key and digital signature to the VoterMain program. 5. the VoterMain program stores the public key and the digital signature Browse candidates and vote candidate Goal The VoterMain program shows a list of candidates with multiple questions. The voter can select one candidate associated with the questions. The voter submits the result of the vote to the BulletinBoard.

24 3 SYSTEM ARCHITECTURE 22 Figure 3: Key generation sequence diagram

25 3 SYSTEM ARCHITECTURE 23 Figure 4: Login and registration sequence diagram

26 3 SYSTEM ARCHITECTURE 24 Prerequisites The encrypted ballots are validated through honest-verifier zeroknowledge proofs. Steps in Figure 5 1. The voter chooses a candidate associated with a question. 2. Once the voter finishes to voting, the VoterMain program performs encryption using a tally s public key. 3. The VoterMain program submits the encrypted ballot to the BulletinBoard using honest-verifier zero-knowledge proofs. 4. The VoterMain program also submits the digital signature for the voter id, the BulletinBoard can validate whether or not it is a duplicated vote. 5. The BulletinBoard accepts the encrypted ballots if they are validated by the honest-verifier zero-knowledge proofs. 6. The BulletinBoard notifies Registrar server that the voter submitted the ballot properly Process received ballots Goal When the allotted voting time is up, the BulletinBoard computes the result of all encrypted ballots using a homomorphic encryption. It becomes an encrypted ballot of the sum of all encrypted ballots for all candidates. It gives the ballot to the KeyShare- Master to decrypt the ballot. Prerequisites All encrypted and validated ballots are submitted to the BulletinBoard. Steps 1. Once time has run out, the BulletinBoard collectes all encrypted ballots.

27 3 SYSTEM ARCHITECTURE 25 Figure 5: Casting ballot sequence diagram

28 3 SYSTEM ARCHITECTURE Homomorphic encryption is performed for all encrypted ballots. 3. The ballot is passed to the KeyShareMaster to decrypt the ballot. 4. The KeyShareMaster notifies all KeyShareWorkers which have their own shared key of the private key for the encrypted ballots. 5. All KeyShareWorkers cooperates together to decrypt the encrypted ballot. 6. Once it is properly decrypted, it is reported to the BulletinBoard. 3.3 User interface The SGEES voting system has a simple interface that is for easy-touse. It provides straightforward wizards with instructions indicating to the voter what to do at each stage. There are text fields for the voters to put in which to submit their information, as well as submit buttons to send the encrypted data to the bulletin board. The voter votes for candidates on a separate wizard page, so that all information can be displayed on the screen. There is also an option field which allows a voter to choose not to vote for a candidate because the voter might want to cancel the vote Client software The client software is developed in Java. It has a wizard mechanism that is composed of two components. The first one is for authentication, and the second is for the validation of the voting. The voters input the username and password. They are given a hash value. They use the hash value when the ballots are submitted to the bulletin board. The ballots are stored in two different files or databases: one to represent validated voters and the other to hold the encrypted votes after submission. There is no way to be connect the voters to the ballots they made.

29 3 SYSTEM ARCHITECTURE 27 Figure 6: Login GUI Figure 7: Voter s information GUI

30 3 SYSTEM ARCHITECTURE 28 Figure 8: Choosing candidates GUI Figure 9: Casting GUI

31 3 SYSTEM ARCHITECTURE Registration Before the election (as shown in Figure 7), we work under the assumption that the registration has been set up for the voter s username and password. The voters are given a user name and password number upon registration to vote. The password number, along with the last four digits of their social security number and their zip code is used to authenticate the voters at the poll sites. Upon registration and authentication, a new hash value and public key are given to the voter, and the voter uses the hash value for the registered voter and the public key for the encryption of his/her vote. The voter can prove his identity and eligibility. We use the ElGamal cryptosystem, which is based on the Decision Diffie-Hellman Assumptions along with the Homomorphic Encryption Property suggested by Damgärd et al [6]. The scenario of the registration is as follows: each voter can encrypt a ballot with the public key of a trusted tallying server. A trusted admin server distributes the public and private keys. Before the voter submits an encrypted ballot to the bulletin board, the trusted registration server authenticates the voter s eligibility and ensures the uniqueness of the vote. In the process, the homomorphic encryption model is used. 3.5 Validation After registration (as shown in Figures 8 and 9), the validation process on the bulletin board ensures that each encrypted vote is valid. The correctness of the encrypted vote is validated using honest-verifier zeroknowledge proofs [12, 19, 22, 16, 23] that reveal nothing about the secret information of the voter. We address the following properties of honest-verifier zero-knowledge proofs. Completeness: The Verifier accepts the proof with very high probability if the Prover knows secret information, called a witness, from which a proof can be built. Special Soundness: If the Prover does not know any witness, and performs any probabilistic algorithm, then the Verifier rejects a proof attempt with a very high probability.

32 3 SYSTEM ARCHITECTURE 30 Honest-verifier zero-knowledge: It is possible to generate a transcript, indistinguishable from a valid proof protocol, without interacting with the Prover. It ensures that an honest verifier does not gain any knowledge about the witness that is available to the Prover. 3.6 Tallying At the end of the voting period (as shown in Figure 4), all votes are counted correctly and securely by decrypting the final encrypted ballot. This is done by a secret-sharing scheme among a set of authorities. In a (t,n) threshold cryptosystem [19, 10, 18], it is required that a private key is shared among n tallying servers, and the decryption is possible only when at least t tallying servers cooperate with each other. The idea behind a threshold cryptosystem is to keep the private key with a fault-tolerant technique and to distribute the functionality of cryptographic protocols to establish robustness. The tallying process can be shared among n tallying servers by using a (t,n) threshold public key decryption system. Each one of the n tallying servers has a share of the private key. And each voter encrypts his vote with the publickey of the tallying servers. The final tallying server can decrypt the encrypted vote by using t tallying servers which are cooperating with each other. It provides privacy of the votes and accuracy of the tally if at least t tallying servers are provided. 3.7 Three tier structure In our design, we implemented a three tier structure of our SEGGS voting system. The structure consists of client presentation, RMI bulletin board server, and threshold independent distributed server systems. The bulletin board server is used as a mechanism to both provide backup and to maintain validated registrations of the voters. In addition, the bulletin server also maintains a data file of all the vote tallies that have been submitted.

33 4 EXPERIMENTS 31 4 Experiments 4.1 Performance To test the performance of our components of voting schemes such as homomorphic encryption, honest-verifier zero-knowledge proofs, and the ElGamal decryption threshold cryptosystem algorithms within the RIT SGEES voting system, four tests were run using moduli of 128, 512, and 1024 bits over a sequence of procedures of three component schemes. The sequence simulation program was running on a: PIII 1.0 MGhz, 512 Mbytes of memory, Windows XP For each test, only the modular size n was changed with various s value of Zn s. The tests were run by the three component algorithms sequentially in the protocol. In the tests, there were four main parameters used such as Q = 3, L = 10, and M = 9978, where Q is the number of questions, L is the number of candidates, and M is the maximum number of voters which need to be carefully designed. Table.1: CPU time(sec) of three components algorithms s N bits ElGamal encryption decryption zero-knowledge proofs (3,5)threshold cryptosystem ElGamal encryption Size: 50 bytes decryption zero-knowledge proofs (3,5)threshold cryptosystem ElGamal encryption decryption zero-knowledge proofs (3,5)threshold cryptosystem ElGamal encryption decryption zero-knowledge proofs (3,5)threshold cryptosystem

34 4 EXPERIMENTS ElGamal encryption decryption zero-knowledge proofs (3,5)threshold cryptosystem ElGamal encryption decryption zero-knowledge proofs (3,5)threshold cryptosystem ElGamal encryption decryption zero-knowledge proofs (3,5)threshold cryptosystem ElGamal encryption decryption zero-knowledge proofs (3,5)threshold cryptosystem Security level Registration During registration, the public key and the modulus are passed from the tallying server to the user. In order to make a secure connection, SSL will be adopted into the communication channel and the aspects of PKI for authentication of voters Validation The main issue in the voting system concerns that how encrypted ballots are validated without revealing the contents of the ballots. The validation of the correctness of ballots are implemented by the zeroknowledge techniques in our voting system. The SGEES attempts honest-verifier zero-knowledge proofs to solve this issue by using three rounds of interactions of protocol. According to the simulation results, it continues to have expensive computations in comparison to

35 5 CONCLUSIONS 33 normal encryption and decryption. However, the communication might be reduced by non-interactive honest-verifier zero-knowledge proofs with a hash function that can be used for challenges. So it can attempt a one-round of interaction between user and server to validate the correctness of ballots Modulus It is believed that finding a tallying private key value given a public key value is as difficult as the discrete log used. The key parameters require RSA modulus where n = pq where p = 2p + 1, and q = 2q + 1. Also it attempts quadratic residue modulo n where n = p q is for a threshold decryption cryptosystem to generate the shares of the private key. However, the key spaces are based on a discrete logarithm problem because primitive elements and quadratic residue modulo in Zn s. The p and q should each be 500 digits in length. This implies a modulus of at least 1024 bits. 5 Conclusions We have researched the practical voting system under the Damgård et al voting scheme [6] to satisfy requirements. To the best of our knowledge, this is a secure practical voting scheme. We have implemented and deployed our voting system based on homomorphic encryption, honest-verifier zero-knowledge proofs, and (t, n) threshold decryption cryptosystem. In our three component algorithms, the key parameters are generated by a single KeyServer, who can be empowered to reveal the private key before distributing each shared of the private key to the threshold key share server. To prevent this abuse by a single KeyShare, we need the Distributed Key Generation (DKG) scheme based on the distributed fashions of the threshold cryptosystems [14, 15, 3]. The concept of the DKG is explained in the Appendix A at the end. In the future work, research of various security issues and their solutions is required such as receipt-freeness, which the our system does not have. In particular, in the voting paradigm the efficient computation and communication are important. Therefore, efficiency as well as security has to be studied in the electronic voting system.

36 6 ANNOTATED REFERENCES 34 6 Annotated References This section briefly presents the primary reference sources. The selected papers provide ideas and concepts of encryption and cryptographic protocols for an E-voting system. The Theory and Implementation of an Electronic Voting System [6] Authors: Ivan Damgård, Jens Groth and Gorm Salomonsen. July 31,2002. The paper describes a practical voting scheme based on homomorphic encryption. It is based on the intractability of the Decision Diffie- Hellman assumption. It provides efficient encryption and decryption using the standard binomial expansion. Then, it presents efficient honest verifier zero-knowledge proofs that provides verification of ballets without revealing the contents of the ballets. A Generalization, a Simplification and some Applications of Paillier s Probabilistic Public-Key System [9] Authors: Ivan Damgård and Mads Jurik. This gives an example of Paillier s encryption and decryption scheme based on a computation in the group of RSA modulus. The paper presents a decryption mechanism to compute discrete logarithms to the base fixed number n + 1. For the ElGamal-style cryptosystem, we can deploy this example into the E-voting system for encryption and decryption. Secure and Optimally Efficient Multi-Authority Election Scheme [4] Authors: Ronald Cramer, Rosario Gennaro and Berry Schoenmakers. The paper is a multi-authority secret-ballot election scheme based on the ElGamal cryptosystem. The authors propose a general framework for an e-voting scheme that guarantees privacy, universal verifiability, and robustness. The main focus of this paper is to provide verification of encryption among threshold authorities using honest verifier zeroknowledge proofs. Threshold Cryptosystems [10] Authors: Yuo Desmedit and Yair Frankel

37 6 ANNOTATED REFERENCES 35 The authors propose the original fundamental threshold scheme. It is a practical non-interactive public key systems which allows the reuse of the shared secret key. It also gives an example of deployment of ElGamal public key cryptosystem based on the discrete log problems. It explains shadow generation using lagrange interpolation. This paper provides a comprehensive good reference pertaining to learn about a threshold scheme. A JCA-based Implementation Framework for Threshold Cryptography [24] Authors: Yih Huang, David Rine and Xunhua Wang This provides a framework for threshold cryptography using Java and Java Cryptography Extension (JCE). It introduces general RSA and DSA threshold schemes as a branch of the group-oriented cryptography where each user can share the responsibility of a its role. It, however, does not provide a framework for verification mechanism using honest verifier zero-knowledge proofs after collecting each share of the keys from the members. A Threshold Cryptosystem without a Trusted Party [21] Authors: Torben Pryds Pedersen Most threshold cryptosystems require a trusted third party, which generates private/public keys and distributes pieces of information to each threshold members. This paper gives a fundamental concepts of key generation without a trusted party using a broadcast and secure communication mechanism based on a discrete logarithm problem such as the ElGamal cryptosystem. For an E-voting system, we can deploy the distributed key generation protocol into the (t, n) threshold cryptosystem to generate private/public keys without the key generation server. Another challenging problem, however,is that the key parameter spaces in this paper have different ring or groups then the ElGamal encryption. Secure Distributed Key Generation for Discrete-Log based Cryptosystems [14] Authors: Rosario Gennaro, Stanislaw Jareck, Hugo Krawczyk and Tal Rabin The idea of a proposed distributed key generation scheme is based on the Pedersen s scheme. This paper proposes improvement of Peder-

38 6 ANNOTATED REFERENCES 36 sen s scheme. It illustrates how to prevent an active attacker from controlling parties during the key generation using commitments and a broadcast mechanism.

39 REFERENCES 37 References [1] J.C. Benaloh and D. Tuinstra. Receipt-free secret-ballot elections. In Proceedings of the 26th Annual Symposium on the Theory of Computing (STOC 94), pages , [2] CALTECH-MIT Voting Technology Project : Retrieved on October 27, 2003 from [3] J. Canny, S. Sorkin. Practical Large-Scale Distributed Key Generation, In Advances in Cryptology - EUROCRYPT 2004, pages , [4] R. Cramer, R. Gennaro, B. Schoenmakers: A Secure and Optimally Efficient MultiAuthority Election Scheme. Proceedings of EUROCRYPT 97, Springer Verlag LNCS series, pp [5] R. Cramer, M. Franklin, B. Schoenmakers & M. Yung: Multiauthority secret ballot elections with linear work, Advances in Cryptology -EUROCRYPT 96, vol of LNCS, pp [6] I. Damgård, J. Groth, and G. Salomonsen. The theory and implementation of an electronic voting system. In D. Gritzalis, editor, Secure Electronic Voting. Kluwer Academic Publishers, [7] I. Damgård, and M. Jurik. A Length-Flexible Threshold Cryptosystem with Applications. BRICS Report Series Publications, [8] I. Damgård and Fujisaki: An Integer Commitment Scheme based on Groups with Hidden Order, Manuscript, 2001, available from the eprint archive. [9] Damgård and Jurik. A Generalisation, a Simplification and some Applications of Paillier s Probabilistic Public-Key System, Proc. of Public Key Cryptography 2001, Springer Verlag LNCS series. [10] Y. Desmedt, Y. Frankel. Threshold cryptosystem. Advances in Cryptology - Crypto 89, Springer Verlag LNCS series, pp