- Internet Voting commonly perceived as high risk
- Need to increase trust
- Vote confidentiality
- Tally validity
- Also: updated legal bases
- Validate protocol
- Estimate performance
- Improve internal (State of Geneva) grasp on concepts
- Context
- Update requirements
- Core protocol concepts
- Implementation overview
- Current results
- Ongoing work
-
Internet voting system
-
4 referendum / intiatives voting rounds / year
-
municipal, cantonal and federal elections
- usually 2-4 rounds / year
-
already in use by several cantons
-
developed, hosted and maintained by State of Geneva
- New voting protocol (BFH)
- PoC implementation (State of Geneva)
- Resulting specification and code have been published
- ETA for usage in production: 2019
- New ordinance on Internet Voting (2013, in effect 2014)
- Technical and administrative requirements
- Compliance levels define allowed electorate percentage
- 30% / 50% / 100%
See the website of the Federal Chancellery.
voters must receive proof that the server system has registered the vote as it was entered by the voter on the user platform – VEleS, art. 4
+++
In current version:
- random codes per voter / response
Votes must not be stored or transmitted in unencrypted form at any time from being entered to tallying. – Technical and administrative requirements, section 3.3.4
+++
In current version:
- Incompatible with individual verifiability implementation
- Server needs to know vote to return the matching verification code
For universal verification, the auditors receive proof that the result has been ascertained correctly. They must evaluate the proof in a observable procedure. – VEleS, art. 5 paragraph 4
+++
In current version:
- Not available
- But external supervision by party representatives holding the private decryption key
The trustworthy part of the system includes either one or a small number of groups of independent components secured by special measures (control components). Their use must also make any abuse recognisable if per group only one of the control components works correctly and in particular is not manipulated unnoticed. – VEleS, art. 5, par. 6
+++
In current version:
- Application server protected by organisational measures and enforced policies
- El Gamal homomorphic encryption
- Oblivious Transfer for individual verifiability
- Pedersen Commitments
- Non-interactive Zero-Knowledge Proofs
- Wikström’s Proof of a Shuffle
- Allows re-encryptions
$$e = Enc_{pk}(m, r)$$
$$ReEnc_{pk}(e, r') = e \cdot Enc_{pk}(1, r') = Enc_{pk}(m, r + r')$$
- Useful for anonymizing when shuffling
+++
- Allows for key sharing
- Control components each hold a key share
-
In short
- Server knows n secret messages
- Client allowed to retrieve k secret messages
- Server cannot know which messages the client asked for
- Perfect match for the verification codes issue!
-
In detail
-
“public” commitments for the secrets
-
ZKPs relative to those commitments
-
Chain of truth from key generation to ballot decryption
-
Combination yields Universal verifiability
-
Re-encrypting mix-net
- Since shuffled, simple pre-image proofs would not work
- Since re-encrypted, ciphertexts are not equal
-
Need for a specific proof that the cryptographic shuffle is valid
ch.ge.ve.protopoc.service.algorithm
+++
ch.ge.ve.protopoc.service.support
+++
ch.ge.ve.protopoc.service.simulation
+++
./gradlew simulation/**
*
* Algorithm 7.4: GetNIZKPChallenge
*
* @param y the public values vector (domain unspecified)
* @param t the commitments vector (domain unspecified)
* @param kappa the soundness strength of the challenge
* @return the computed challenge
*/
public BigInteger getNIZKPChallenge(Object[] y, Object[] t, int kappa) {
return conversion.toInteger(hash.recHash_L(y, t)).mod(BigIntegers.TWO.pow(kappa));
}+++
https://ia.cr/2017/325 – team at BFH
+++
-
Covers complete protocol (incl. proofs)
-
Available on GitHub
-
Issues & PRs welcome!
+++
- Also available on GitHub
- Much better than initially feared
- 100k ballots could be
- Shuffled,
- Decrypted,
- & Verified;
- Using “standard” hardware
- Within operational time constraints
- GUI ☺
- Distribution
- Real infrastructure for Control Components
- Resilience & Availability
- Custom rules for layout, specific elections, …
- Back-office, test zone, …
- Cantonal interoperability