Minimum Disclosure Counting for the Alternative Vote Roland Wen and - - PowerPoint PPT Presentation

minimum disclosure counting for the alternative vote
SMART_READER_LITE
LIVE PREVIEW

Minimum Disclosure Counting for the Alternative Vote Roland Wen and - - PowerPoint PPT Presentation

Dec 15, 2022 107 likes •368 views

Minimum Disclosure Counting for the Alternative Vote Roland Wen and Richard Buckland School of Computer Science and Engineering The University of New South Wales Sydney, Australia {rolandw,richardb}@cse.unsw.edu.au VOTE-ID 2009 Outline

slide-1
SLIDE 1

Minimum Disclosure Counting for the Alternative Vote

Roland Wen and Richard Buckland

School of Computer Science and Engineering The University of New South Wales Sydney, Australia {rolandw,richardb}@cse.unsw.edu.au

VOTE-ID 2009

slide-2
SLIDE 2

Outline

Background The Alternative Vote Signature Attacks Security Requirements Counting Scheme Overview Tally Protocol Exclude Protocol The Winner Discussion

2 / 24

slide-3
SLIDE 3

Background The Alternative Vote

The Alternative Vote

◮ Preferential electoral system

◮ Voters express preferences for all candidates

◮ Alternative vote

◮ Elect single candidate ◮ Winner must obtain majority (> 50%) of votes ◮ Many rounds of counting 3 / 24

slide-4
SLIDE 4

Background The Alternative Vote

Example: Alternative Vote Elections in Lilliput-Blefuscu

◮ 100 voters

◮ 40 Lilliputians (Little-endians) ◮ 60 Blefuscudians (Big-endians)

◮ 4 candidates

◮ 1 Little-endian (L) ◮ 3 Big-endians

  • 1. Hard eggs (BH)
  • 2. Medium eggs (BM)
  • 3. Soft eggs (BS)

4 / 24

slide-5
SLIDE 5

Background The Alternative Vote

Example: Counting the Votes

◮ Counting takes place in rounds ◮ Each round is “last” past the post election

  • 1. Calculate tallies using highest preference of each ballot
  • 2. Exclude last candidate from counting

5 / 24

slide-6
SLIDE 6

Background The Alternative Vote

Example: Counting the Votes

◮ Counting takes place in rounds ◮ Each round is “last” past the post election

  • 1. Calculate tallies using highest preference of each ballot
  • 2. Exclude last candidate from counting

Candidate L BH BM BS Round 1 40 20 25 15

6 / 24

slide-7
SLIDE 7

Background The Alternative Vote

Example: Counting the Votes

◮ Counting takes place in rounds ◮ Each round is “last” past the post election

  • 1. Calculate tallies using highest preference of each ballot
  • 2. Exclude last candidate from counting

Candidate L BH BM BS Round 1 40 20 25 15 Round 2 40 25 35

  • 7 / 24
slide-8
SLIDE 8

Background The Alternative Vote

Example: Counting the Votes

◮ Counting takes place in rounds ◮ Each round is “last” past the post election

  • 1. Calculate tallies using highest preference of each ballot
  • 2. Exclude last candidate from counting

Candidate L BH BM BS Round 1 40 20 25 15 Round 2 40 25 35

  • Round 3

40

  • 60
  • 8 / 24
slide-9
SLIDE 9

Background Signature Attacks

Signature Attacks

◮ Secret ballot provides privacy and anonymity ◮ Signature attacks link voters to the votes they cast

◮ ⇒ Breaks receipt-freeness during the counting ◮ Exploited by Italian Mafia

◮ Eg signed ballot with specified permutation of preferences ◮ Highly likely that randomly chosen covert signature is unique

◮ Number of possible signatures is factorial in number of candidates ◮ 20 candidates ⇒ 19! ≈ 1017 signatures 9 / 24

slide-10
SLIDE 10

Background Signature Attacks

Signature Attacks on Partial Counting Information

◮ May still detect absence of some signatures

◮ ⇒ Voters who disobey risk getting caught out ◮ ⇒ Sufficient for bribery and coercion

◮ Eg round tallies reveal that some signatures never occur

Candidate L BH BM BS Round 1 40 20 25 15 Round 2 40 25 35

  • ◮ Increase chance of detecting absent signatures

◮ Eg by embedding contrived sequences of preferences in signatures 10 / 24

slide-11
SLIDE 11

Background Signature Attacks

How To Prevent Signature Attacks

◮ Currently no definition for what counting information enables effective

signature attacks

◮ All information is potentially dangerous

◮ ⇒ Safest approach is that counting reveals nothing apart from the

result

11 / 24

slide-12
SLIDE 12

Background Security Requirements

Security Requirements for Cryptographic Counting

  • 1. Minimum disclosure

◮ Reveal only the identity of the winning candidate

  • 2. Universal verifiability

◮ Operations are public and accompanied by proofs

  • 3. Robustness

12 / 24

slide-13
SLIDE 13

Counting Scheme

Minimum Disclosure Counting Scheme

Background The Alternative Vote Signature Attacks Security Requirements Counting Scheme Overview Tally Protocol Exclude Protocol The Winner Discussion

13 / 24

slide-14
SLIDE 14

Counting Scheme Overview

Main Idea of the Counting Scheme

  • 1. Hide the ordering of ciphertexts

◮ Mix-nets randomly permute and re-encrypt list of ciphertexts ◮ Rotators randomly cyclically shift and re-encrypt list of ciphertexts

  • 2. Seek ciphertexts with certain properties

◮ Plaintext equality/inequality tests compare m1, m2 ◮ Tests reveal only boolean result m1 = m2 or m1 ≥ m2

  • 3. Perform open operations on identified ciphertexts

◮ Eg homomorphic addition m1 ⊞ m2 = m1 + m2 14 / 24

slide-15
SLIDE 15

Counting Scheme Overview

Inputs to the Counting Scheme

◮ Counting starts after voting finished ◮ Inputs:

  • 1. List of all candidates (encrypted and anonymous)
  • 2. List of ballots

◮ Each ballot is list of encrypted preferences in decreasing order of

preference

◮ Values encrypted with additively homomorphic cryptosystem (eg

Paillier)

15 / 24

slide-16
SLIDE 16

Counting Scheme Tally Protocol

Tallying the Votes

◮ Construct counters (encrypted candidate-tally pairs) ◮ For highest preference of each ballot, increment appropriate counter

16 / 24

slide-17
SLIDE 17

Counting Scheme Tally Protocol

Incrementing a Counter

  • 1. Mix all counters
  • 2. Use plaintext equality tests to locate counter for BS
  • 3. Openly increment tally for BS using homomorphic addition

17 / 24

slide-18
SLIDE 18

Counting Scheme Exclude Protocol

Excluding the Last Candidate

◮ Mix the counters ◮ Use plaintext inequality tests to compare encrypted tallies

◮ ⇒ Minimum counter (for BS)

◮ Remove encrypted preference for BS from each ballot

18 / 24

slide-19
SLIDE 19

Counting Scheme Exclude Protocol

Removing the Excluded Candidate

  • 1. Rotate all ballots to conceal positions of preferences
  • 2. Use plaintext equality tests to locate preference for BS
  • 3. Openly delete encrypted preference for BS

19 / 24

slide-20
SLIDE 20

Counting Scheme Exclude Protocol

Restoring the Ballots

  • 1. Rotate all ballots to conceal positions of deleted preferences
  • 2. Use plaintext equality tests to locate marker
  • 3. Openly undo cyclic shifts to return ballots to original ordering

20 / 24

slide-21
SLIDE 21

Counting Scheme The Winner

Revealing the Winner

◮ Repeat rounds until only one remaining candidate

◮ Constant number of rounds

◮ Decrypt and reveal winner

21 / 24

slide-22
SLIDE 22

Discussion

Discussion

Background The Alternative Vote Signature Attacks Security Requirements Counting Scheme Overview Tally Protocol Exclude Protocol The Winner Discussion

22 / 24

slide-23
SLIDE 23

Discussion

Summary

◮ Signature attacks problematic for preferential counting ◮ Minimum disclosure property

◮ Prevents signature attacks

◮ Minimum Disclosure Counting Scheme

◮ Hide and seek paradigm preserves secrecy

◮ Plaintext equality and inequality tests, mix-nets, rotators

◮ Provide privacy, universal verifiability and robustness

◮ Total complexity is O(AC 2Vk)

23 / 24

slide-24
SLIDE 24

Discussion

Open Problems

  • 1. What is the optimal complexity?

◮ At least O

  • CV
  • distributed ballot operations

◮ Limiting factor appears to be the removal of excluded candidate ◮ Seems to require O

  • C
  • work per ballot
  • 2. What are the implications of weakening minimum disclosure?

◮ How can we assess if specific partial counting information is sensitive? 24 / 24