AndrewRo August 11, 2017 at 10:37

E-voting protocol: my option

From the sandbox

Observing elections in different countries, complicated by various scandals surrounding fraud, each time raises questions: why is such an important event, the legitimacy of which is so necessary to protect, using protection mechanisms of centuries ago? This is especially strange, given that even a person who understands cryptography at the initial level can come up with a voting scheme, albeit far from ideal, but much better than the current one. It just so coincided that I belong to such people, so I thought: why not try?

On Habré a number of articles on electronic elections have already been published ( one , two , three), however, I did not find a protocol that worked out and meets the basic requirements. So welcome: my version of the electronic voting protocol.

Disclaimer

The author is not a professional in cryptography and mathematics, therefore, this scheme does not claim to be faultless or deeply developed.
The scheme turned out to be quite simple, so it is very likely that I invented a bicycle.

System requirements

What do we want to get on the way out? I formulated the following requirements:

The possibility of independent control;
Resistance to fraud by the election commission, voters and third parties
Inability to find out how a particular voter voted

Tl; dr: protocol summary

The voter is registered with the election commission, providing his personal data, disguised as a voting key and a verification key. The election commission signs a disguised voting key;
The voter unmasks it and receives the signed voting key, creates an anonymous voice on its basis and publishes it;
A voter is selected for each vote from among the voters. The owner of the voice sends his personal data to the reviewer using his public key. The reviewer verifies that the voice matches the real person.

Protocol Details

In the protocol, I used only 2 cryptographic primitives: asymmetric encryption and blind signature algorithm . Naturally, encryption and masking operations must be commutative with respect to each other.

Note: the hash operation during signing, if required, will be omitted.

Designation List

$inline$ - encryption key;

$inline$ - decryption key;

$inline$ - masking factor;

$inline$ - encryption with the key k;

$inline$ - decryption with the key k;

$inline$ - masking by the factor m;

$inline$ - unmasking by the factor m;

$inline$ - information about the person;

$inline$ - choice;

$inline$ - the contract;

$inline$ - voice;

$inline$ - information to verify

0. The source data

Voter:

$e_ {personal}$ - the encryption key (private) of the voter's personal digital signature;
$e_ {vote}$ , $d_ {votes}$ - encryption and decryption keys. Created by the voter for a specific vote;
$inline$ - masking factor. Created by the voter for a specific vote;
$e_ {verification}$ , $d_ {verification}$ - a pair of keys for the verification phase. Created by the voter for a specific vote.

Public repository of personal data:

The following information is stored for each citizen:

$inline$ - information about the voter : full name, year of birth, address of registration, etc. $d_ {personal}$ - public key of a personal digital signature;
$E_ {e _ {\ Large state}} (i + d_ {personal}))$ - State signature certifying the accuracy of the data.

Also in the repository are stored:

$d_ {state}$ - public key of the state;
$d_ {election commission}$ - public key of the election commission.

State:

$e_ {state}$ - private key of the state.

Election Commission:

$e_ {election commission}$ - private key of the election commission.

Note: I used the assumption that at the start of voting the information in the repository is correct: each person has a one-to-one digital signature key, there are no "dead souls" there. I will not consider mechanisms for verifying this information: it seems to me that they should be administrative rather than mathematical. Also, information is assumed to be unchanged throughout the vote.

1. Registration

Each voter presents his data to the electoral commission. He checks that the voter is not yet registered and has the right to vote. After verification, the commission, together with the voter, creates what I will further call a contract .

The contract contains the following data:

$inline$ - voter identity
$M_m (d_ {votes})$ - a voting decryption mask disguised as a secret voter factor
$M_m (e_ {test})$ - encryption key disguised as a secret voter multiplier for verification
$E_ {e _ {\ Large Election Commission}} (M_m (d_ {votes}))$ - a voting decryption key disguised as a secret voter multiplier, signed by the election commission
$K_1 = i + M_m (d_ {voting}) + M_m (e_ {verification}) + E_ {e _ {\ Large election commission}} (M_m (d_ {voting}))$

This information is signed by both the electoral commission and the voter:
$K = K_1 + E_ {e _ {\ Large personal}} (K_1) + E_ {e _ {\ Large election committee}} (K_1)$

All contracts are published by the electoral commission.

At this stage, the following attacks are prevented:

The election commission will refuse to publish the contract. In this case, the voter will be able to prove his existence, because it is signed by the election commission;
The voter will try to register again. The election commission can prove that the voter has already registered with his signature;
The election committee will register non-existent people. In this case, any observer will be able to prove this by showing that the data does not contain personal data in the repository;
The election committee cannot register real people without their presence, because does not have their private key $e_ {personal}$

2. Voting

The voter unmasks the signed voting key:

$N_m (E_ {e_ {election commission}} (M_m (d_ {voting}))) = E_ {e_ {\ Large election commission}} (d_ {vote})$

And creates a voice unrelated to his personality :

$V = d_ {voting} + E_ {e _ {\ Large election committee}} (d_ {voting}) + e_ {verification} + s + E_ {e _ {\ Large voting}} (s)$

Where

$inline$ - selection of a candidate.

The voter anonymously sends a vote to the electoral commission. The election committee publishes it in the public domain and returns it as evidence of admission

$E_ {e _ {\ Large Electoral Commission}} (V)$ .

3. Verification

Unfortunately, at the last stage, the election commission could create as many votes as needed, not related to real personalities, so verification of each vote is necessary. To whom to entrust verification? I find it best to turn to the principles of demarchyand entrust the check to a random voter. You can come up with an infinite number of checking-checked pairs of distribution schemes for a set of votes, but the following seems optimal to me: divide the set into pairs and designate them as checking for each other. Thus, the auditor who divulged information can be held accountable by the auditees. Whichever scheme is used, the algorithm for its formation should be published before the start of registration, and depend on a key unknown before the end of registration. For example, a key can be generated from exchange rates, or publicly and jointly by candidates (for example, using a lottery drum). If you ignore this condition, the election commission will be able to find and add to the list so many fake votes after registration that all of them or most of them will be checking for each other.

So, the key is generated and published. Now, each voter must find his or her verification officer, receive his public verification key from the base of votes

$e_ {verification}$ generate verification information

$I = V + E_ {e _ {\ Large verification \ reviewer}} (i + m + E_ {e _ {\ Large personal}} (i + m))$

and anonymously send her to the election commission. The election committee publishes it in the public domain and returns it as evidence of admission

$E_ {e _ {\ Large Electoral Commission}} (I)$ .

The inspector finds

$inline$ checked in the database by

$inline$ decrypt

$E_ {e _ {\ Large verification}} (i + m + E_ {e _ {\ Large personal}} (i + m))$ using his

$d_ {verification}$ , via

$inline$ unmasks

$M_m (d_ {votes})$ and

$M_m (e_ {test})$ and checks that:

$inline$ is in the database $inline$ and $inline$ ;
signature $E_ {e _ {\ Large personal}} (i + m)$ valid;
$d_ {votes}$ matches stored in $inline$ ;
$e_ {verification}$ matches stored in $inline$ .

The following attacks are prevented:

In case the auditee does not provide $inline$ His voice does not count;
If the verifiable provides false information, the verifier will be able to prove the forgery by publishing his $d_ {verification}$ ;
The verifier cannot publish the personal data of the verifiable, as the inspected also has the data of the inspector and will be able to hold him accountable;
The election committee cannot create votes that are not connected with a real person;
The inspected could not replace the keys stated in the contract;
The voter cannot vote twice because holds only one key signed by the election commission;
The election committee cannot replace $inline$ because does not possess $e_ {vote}$ .

results

Protocol disadvantages:

Unfortunately, it was not possible to achieve complete anonymity: one random voter finds out who you voted for;
The protocol does not protect against the purchase of a vote: the voter can prove that he voted exactly as he declared;
Протокол неудобен для использования для не имеющих доступа к интернету людей: минимум 2 раза требует подключения к интернету (вероятно, в избирательном участке). Более того, избирательный участок может отследить голос и деанонимизировать избирателя. Вероятно, можно решить первую проблему, разрешив избирателю отказаться от роли проверяющего и добавив признак этого в контракт и голос. Недостающие проверки будут распределены между оставшимися избирателями;
Протокол не защищает от следующей проблемы: избирком может просто отказаться принимать «неправильный» голос. В качестве решения можно использовать независимую площадку (например, соцсеть), приравняв публикацию голоса в ней к отсылке его в избирком.

It is also possible that the verification phase can be simplified and made more anonymous using evidence with zero disclosure . Unfortunately, I do not yet know how to do this and whether it is possible.

If you know, write in the comments. Also write, if you know how to improve the protocol, find a bug or vulnerability, and other constructive criticism.

Tags: