An untraceable , universally verifiable voting scheme

Recent electronic voting schemes have shown the ability to protect the privacy of voters and prevent the possibility of a voter from being coerced to reveal his vote. These schemes protect the voter’s identity from the vote, but do not do so unconditionally. In this paper we apply a technique called blinded signatures to a voter’s ballot so that it is impossible for anyone to trace the ballot back to the voter. We achieve the desired properties of privacy, universal verifiability, convenience and untraceability at the expense of receipt-freeness. I. Properties of electronic voting The traditional process of voting in local and national elections is cumbersome because a voter must appear in person at a polling place to cast his vote. Two recent proposals for electronic voting protocols attempt to remove this burden while providing a private and secure mechanism. In their paper Receipt-Free Mix-Type Voting Scheme, Kazue Sako and Joe Kilian devise what they believe to be a “practical solution to the implementation of voting booth” (Sako 393). Rosario Gennaro proposes in A Receipt-Free Election Scheme Tolerating a Dynamic Coercer what he believes to be some “practical” assumptions that improve upon the Sako-Kilian scheme and similar protocols (Gennaro 1). The reader is expected to be familiar with public-key cryptosystems such as RSA or ElGamal and digital signature schemes. She is also expected to have some familiarity with the number theoretic properties of primes and discrete logs. 1 Properties of the Sako-Kilian and Gennaro schemes 1.a Privacy Current proposals for electronic voting protocols describe several properties of privacy and security. First and foremost, a protocol must ensure that votes are private. Victor the voter must be sure that any third party cannot determine who he voted for. That is, when Victor submits his vote over a communication channel, he assumes that a malicious eavesdropper Eve is listening. In order to achieve privacy, the voting protocol must employ some form of encryption such as a public-key cryptosystem. This privacy An untraceable, universally verifiable voting scheme 1 depends on the assumption that it is computationally infeasible for Eve to decrypt Victor’s encrypted vote. 1.b Individual and universal verifiability The Sako-Kilian and Rosario Gennaro proposals describe the property of individual verifiability, the ability for Victor to verify if his vote was received properly (Sako 395, Gennaro 7). Victor would desire this property because it proves to him that the voting authority has counted his vote, and gives him some evidence if he needs to levy a complaint because his vote was lost. Individual verifiability allows only Victor to check for the correct receipt of his ballot. Because each voter must check his or her own vote, an auditor would have to contact and receive the cooperation of every voter to audit the election. Universal verifiability allows “any voter or interested third party to at a later time verify that the election was properly performed” (Sako 394). Only with universal verifiability can an audit be performed easily, so this property is desired as long as it does not incur too substantial of a cost (Sako 395). 1.c Receipt-freeness Sako-Kilian and Gennaro credit Josh Cohen Benaloh and David Tunistra with introducing the first receipt-free protocol for electronic voting (Sako 393, Gennaro 1). Benaloh and Tunistra showed that other protocols give Victor a receipt for his vote, allowing him to later prove to another party that he voted a certain way. Victor could use his receipt to sell his vote, or he could be coerced under some threat into revealing his vote to a third party (Sako 393, Gennaro 1-2). A voting protocol that does not give Victor such a receipt (and therefore makes selling votes and coercion impossible) is called receipt-free. Sako and Kilian achieve this receiptfree quality by using a secure, private communication channel through which the voting authority can send Victor a message (Sako 394). Gennaro achieves the same goal by a different physical assumption: Victor has secure hardware that does “oblivious probabilistic encryption” -a smart card, which is an electronic encryption device that does not reveal the random numbers it generates (Gennaro 2). 2 Two desired properties: convenience and untraceability In this section, we introduce two properties of electronic voting that are not addressed by Sako-Kilian or Gennaro. The issues of convenience and untraceability are desirable if an electronic voting protocol is to replace the traditional mechanism. 2.a Convenience Sako and Kilian preface their proposal by stating that “the ultimate goal of secure electronic voting is to replace physical voting booths” (Sako 393). Traditional voting places a burden on citizens because they must be at the appropriate polling place in order to vote in a physical voting booth. This inconvenience may affect voter turnout: according to a report from the Population Division of the Bureau of the Census, less than 45 percent of U.S. citizens aged 18 years or older reported voting in the November 1994 election (Census). Electronic voting has the potential to greatly affect voter registration and turnout if the process of voting can be made more convenient. An untraceable, universally verifiable voting scheme 2 An electronic voting scheme which does not require Victor’s presence in a physical voting booth would remove this inconvenience and is therefore desirable. A protocol for voting which allows Victor to vote from any one of several networked polling locations would be superior to the current system but still inconvenient. A greater degree of convenience is achieved when Victor is able to vote from any networked location such as a telephone, ATM machine, or interactive-television set. Ideally, Victor should not require any external device that interacts with the existing networked device. A lesser degree of convenience than that of traditional voting results if such a device is required. 2.b Untraceability Another desired property is the untraceability of a vote. That is, if Victor submits a vote, a second party (the voting authority) or third party (Eve) should be unable to trace the vote back to him. Even after decryption, the voting authority should be unable to determine the origin of a given vote. It should be able to verify that a vote has come from a valid voter, but it should not be able to discover which one; Victor’s anonymity would be preserved. Such untraceability is desired because it mimics the behavior of conventional voting protocols. 3 Implementation of these properties The privacy property exhibited by Sako-Kilian and Gennaro should be a given. It is not hard to realize this requirement; the protocol would simply require that votes be encrypted with the voting authority’s public key using a public-key encryption scheme such as RSA or ElGamal. We discuss the decryption process below. In order to provide receipt-freeness, Sako-Kilian assumes a secure communications channel. To realize this requirement, Victor must vote at a designated polling place that is known to have a secure channel to the voting authority. Such a requirement conflicts directly with the desired convenience property. Thus, the Sako-Kilian mechanism to achieve receipt-freeness is unsatisfactory. The Gennaro receipt-freeness mechanism is also inconvenient because it requires that each voter posses a tamper-proof smart-card. However, such a smart-card could have a modem in it which would allow Victor to vote from any phone. Using such a smart-card, Victor would sacrifice the inconvenience of using such a device in exchange for the convenience of voting from any phone. The universal verifiability property described by Sako-Kilian and Gennaro is desired because it also mimics traditional voting practices (easy audits and confirmation that a voter has voted). As Sako and Kilian suggest, universal verifiability can be implemented as an extension to the individual verifiability scheme described in Chaum’s mixing technique for electronic mail (Sako 394-395, Chaum81 3-6). Untraceability is computationally possible through a technique called blinded signatures, invented by David Chaum (Chaum92, Chaum88). Blinded signatures, used by Chaum in his untraceable electronic cash scheme, allow a party to digitally authenticate a message without knowing the contents of the message (Chaum92 3). We propose a voting protocol based on blinded signatures in section II of this paper. An untraceable, universally verifiable voting scheme 3 II. An election protocol utilizing blinded signatures 4 Blinded signatures 4.a Chaum’s electronic coin scheme Blind signatures were proposed by Chaum in Untraceable Electronic Cash as a technique realize untraceable electronic coins. The scheme relies on the bank creating a number system where only it can compute cube roots. A coin that Alice would want to spend starts off as a number x that acts like a serial number for a bill. The number x is a 100digit number that Alice chooses at random, so there is very low probability someone else will pick the same serial number (Chaum92 2). This serial number needs to be digitally signed by the bank so that the bank will later recognize it as currency that someone was authorized to spend. However, in order to protect her anonymity, Alice will multiply x by the cube of a another random number, r3. This extra random number is called the blinding factor because it “hides” the value of x from the bank. This blinding factor, according to Chaum, is unconditionally untraceable to Alice: “Even if the bank had infinite computing power, they couldn’t find out because it contains just as much r information as [x] information” (Chaum94 2). Each coin is a pair (x, f(x) 1/3 (mod n)) where f is a one-way function and n is some composite whose factorization is known only to the bank (Chaum88 319). Since only the bank knows the factorization o