From e4227f66a20a62292ff81f245f4f54ed15464954 Mon Sep 17 00:00:00 2001 From: David Florness Date: Sun, 9 Feb 2020 19:37:04 -0700 Subject: [PATCH] OreSec talk: closing discussion on final polynomial and its constant --- doc/oresec-talk/tallyard.tex | 156 ++++++++++++++++++++++++++++------- 1 file changed, 126 insertions(+), 30 deletions(-) diff --git a/doc/oresec-talk/tallyard.tex b/doc/oresec-talk/tallyard.tex index 6e53b7a..99ca40a 100644 --- a/doc/oresec-talk/tallyard.tex +++ b/doc/oresec-talk/tallyard.tex @@ -7,7 +7,7 @@ \usepackage{amssymb} -\title{Securing Election with Homomorphic Cryptography} +\title{Securing Elections using Homomorphic Cryptography} \author{David Florness} \date{February \nth{10}, 2020} @@ -31,7 +31,7 @@ \end{itemize} \end{frame} -\begin{frame}[allowframebreaks]{The Traditional Approach in the Electronic World} +\begin{frame}[allowframebreaks]{The Traditional Approach in Electronic Terms} \begin{enumerate} \item voters register with a server @@ -51,49 +51,57 @@ \begin{center} \includegraphics[height=0.8\textheight]{graphics/traditional.png} \end{center} +\end{frame} - \framebreak - +\begin{frame} \begin{itemize} - \item Pros + \item Pros \pause \begin{enumerate} \item easy and simple \item reliable \item allows registration - \end{enumerate} + \end{enumerate} \pause \item Cons \begin{enumerate} - \item faith in a single authority - \item unverifiable - \item vulnerable to denial-of-service attacks + \item trust in a single authority; such a system would be rife with + corruption \end{enumerate} \end{itemize} \end{frame} \begin{frame} \begin{itemize} - \item We want a system that \pause + \item We want an election system that \pause \begin{itemize} \item requires registration / authentication, allowing us to limit who can - to vote \pause + vote \pause \begin{itemize} - \item may want to limit voters members of a club, citizens of the - jurisdiction, etc. + \item we may want to limit voting to members of a club, citizens of a + jurisdiction, etc. \pause + \item without such authentication, stopping double-voting would be a + nightmare \end{itemize} \pause \item gives accurate aggregate results \pause - \item protects voter privacy + \item protects voter privacy \pause \begin{itemize} - \item no individual voters' vote should be knowable by anyone except said - voter + \item no individual voter's vote should be knowable by anyone except said + voter \pause \end{itemize} \end{itemize} \end{itemize} + \dots these sound like conflicting desires\dots \pause but they're not! +\end{frame} + +\begin{frame} + \begin{center} + \textbf{Disclaimer}: I did not come up with any of this. + \end{center} \end{frame} \begin{frame}[allowframebreaks]{A New Approach} \begin{itemize} - \item instead of a client-server approach, we have a peer-to-peer network - (p2p) where voters connect directly to each other + \item instead of a client-server approach, let's have a peer-to-peer (p2p) + network where voters connect to each other directly \end{itemize} \framebreak @@ -105,15 +113,16 @@ \begin{frame} \begin{itemize} - \item voters use standard means to identify and authenicate themselves (thinks - passwords, kerberos, LDAP, SSH/GPG finderprints, multipass, etc.) + \item Authentication is essentially the same as before: voters use standard + means to identify themselves (think passwords, kerberos, LDAP, SSH/GPG + finderprints, multipass, etc.) \end{itemize} \end{frame} -\begin{frame} +\begin{frame}{The big question} \begin{itemize} \item \textbf{Question}: how and to whom do we submit ballots? \pause - \item \textbf{Answer}: we ``share'' our secret ballot with everyone! + \item \textbf{Answer}: we ``share'' pieces of our secret ballot with everyone! \end{itemize} \end{frame} @@ -206,12 +215,12 @@ Let's sum those values! \begin{align*} - S_i(x_i) = &P_1(x_i) + P_2(x_i) + \dots + P_k(x_i) \\ - = &\left( c_1 + a_{(1,1)} x_i + a_{(1,2)} x_i^2 + \dots + a_{(1,k-1)} x_i^{k-1} \right) + \\ - &\left( c_2 + a_{(2,1)} x_i + a_{(2,2)} x_i^2 + \dots + a_{(2,k-1)} x_i^{k-1} \right) + \\ - &\cdots \\ - &\left( c_k + a_{(k,1)} x_i + a_{(k,2)} x_i^2 + \dots + a_{(k,k-1)} x_i^{k-1} \right) \\ - = &\sum_{j=1}^k c_j + x_i \sum_{j=1}^k a_{(j,1)} + x_i^2 \sum_{j=1}^k a_{(j,2)} + \dots + x_i^{k-1} \sum_{j=1}^k a_{(k,2)} + S_i = &P_1(x_i) + P_2(x_i) + \cdots + P_k(x_i) \\ + = &\left( c_1 + a_{(1,1)} x_i + a_{(1,2)} x_i^2 + \cdots + a_{(1,k-1)} x_i^{k-1} \right) + \\ + &\left( c_2 + a_{(2,1)} x_i + a_{(2,2)} x_i^2 + \cdots + a_{(2,k-1)} x_i^{k-1} \right) + \\ + &\cdots \\ + &\left( c_k + a_{(k,1)} x_i + a_{(k,2)} x_i^2 + \cdots + a_{(k,k-1)} x_i^{k-1} \right) \\ + = &\sum_{j=1}^k c_j + x_i \sum_{j=1}^k a_{(j,1)} + x_i^2 \sum_{j=1}^k a_{(j,2)} + \cdots + x_i^{k-1} \sum_{j=1}^k a_{(j,2)} \end{align*} \end{frame} @@ -223,10 +232,97 @@ \end{frame} \begin{frame} - Everyone now has $S_1$, $S_2$, $\dots$, $S_k$ + \begin{itemize} + \item Everyone now has $S_1$, $S_2$, $\dots$, $S_k$: \pause + \begin{align*} + S_1 &= \sum_{j=1}^k c_j + x_1 \sum_{j=1}^k a_{(j,1)} + x_1^2 \sum_{j=1}^k a_{(j,2)} + \cdots + x_1^{k-1} \sum_{j=1}^k a_{(j,2)} \\ + S_1 &= \sum_{j=1}^k c_j + x_2 \sum_{j=1}^k a_{(j,1)} + x_2^2 \sum_{j=1}^k a_{(j,2)} + \cdots + x_2^{k-1} \sum_{j=1}^k a_{(j,2)} \\ + &\vdots \\ + S_k &= \sum_{j=1}^k c_j + x_k \sum_{j=1}^k a_{(j,1)} + x_k^2 \sum_{j=1}^k a_{(j,2)} + \cdots + x_k^{k-1} \sum_{j=1}^k a_{(j,2)} + \end{align*} \pause + \item These are $k$ points all on the same $k-1$ degree polynomial: + \begin{equation*} + (x_1, S_1), (x_2, S_2), \dots, (x_k, S_k) + \end{equation*} + \end{itemize} +\end{frame} + +\begin{frame} + \begin{itemize} + \item Since we know $k$ points of the $k-1$ degree polynomial, we can find the + coefficients and constant term of it with a little linear algebra: \pause + \begin{equation*} + \begin{bmatrix} + 1 & x_1 & x_1^2 & \cdots & x_1^k \\ + 1 & x_2 & x_2^2 & \cdots & x_2^k \\ + \vdots & & & \ddots \\ + 1 & x_k & x_k^2 & \cdots & x_k^k + \end{bmatrix} + \begin{bmatrix} + \sum_{j=1}^k c_j \\ + \sum_{j=1}^k a_{(j,1)} \\ + \sum_{j=1}^k a_{(j,2)} \\ + \vdots \\ + \sum_{j=1}^k a_{(j,2)} + \end{bmatrix} = + \begin{bmatrix} + S_1 \\ + S_2 \\ + \vdots \\ + S_k + \end{bmatrix} + \end{equation*} + \end{itemize} +\end{frame} + +\begin{frame} + \begin{equation*} + \text{RREF}\left( + \begin{bmatrix} + 1 & x_1 & x_1^2 & \cdots & x_1^k & S_1 \\ + 1 & x_2 & x_2^2 & \cdots & x_2^k & S_2 \\ + \vdots & & & \ddots \\ + 1 & x_k & x_k^2 & \cdots & x_k^k & S_k + \end{bmatrix} + \right) + \end{equation*} +\end{frame} + +\begin{frame} + Notice that the constant term of the final polynomial is $\sum_{j=1}^k c_j$, + which is precisely the result of the election! +\end{frame} + +\begin{frame}{In Summary} + \begin{enumerate} + \item Every voter creates and publishes an $x_i$. \pause + \item Every voter creates a random polynomial of degree $k-1$ where $k$ is the + number of voters and embeds their ballot in the constant term of the + polynomial. \pause + \item Every voter evaluates their polynomial with each of the inputs ($x_i$'s) + and sends each respective voter his/her result. \pause + \item Every voter sums the polynomial outputs they've received. \pause + \item All $k$ sums the voters compute are used to find the constant term of a + polynomial whose constant term is precisely the sum of all ballot. + \end{enumerate} +\end{frame} + +\begin{frame} + \begin{center} + There's a problem\dots \\[0.5cm] \pause + + What's to stop someone from putting an invalid ballot in the constant term + of their polynomial that sways the election in their favor? \\[0.5cm] \pause + + For example, in a ``yes/no'' election, someone could put 2 for their ballot + and have the result of 2 votes. + \end{center} \end{frame} -\begin{frame}{A High-Level Overview of the Protocol} +\begin{frame}{The Remedy} + The definitive answer: + + \url{https://vitalik.ca/general/2017/11/09/starks\_part\_1.html} \end{frame} \end{document} \ No newline at end of file -- 2.38.4