Applications: Banking and Ballots

Some of the protocols discussed in this chapter seem somewhat artificial or designed for rarely occurring situations. However, similar protocols are needed and to some extent already used for important frequently occurring purposes. Some examples will be outlined in this section. The choice of a particular protocol is always a compromise between various security issues and the complexity in executing the protocol.

Nowadays, in cashless payment systems, the amount of transaction data and their computerization drastically increases. This development will continue when home banking becomes more common. In most cases, such payment systems are completely unacceptable, since the banks and even the computer manufacturers can easily observe who pays what amount to whom and when. Payment systems guaranteeing security against fraud, and also enabling unobservability of clients, are necessary. Measures of jurisdiction alone are insufficient, since infringements can hardly be discovered.

For instance, the following requirements are connected with the unobserv­ability of clients. Each payment should be secret from an eavesdropper. Unless the client wishes otherwise, each of his/her actions should be unlinkable to actions that have taken place earlier. The client should be able to do business anonymously: the banks and the client's business partners should not be able to find out his/her identity. One might also require that it is possible for a payer to make off-line payments to arbitrary payees in a way that the latter can verify the payment without using the network.

Since a trusted referee is impractical in a big system, such requirements lead to protocol problems similar to the ones considered in this chapter. We do not enter the details. The reader is referred, for instance, to [BuP], for a general model of unobservable payment systems.

Cryptographic protocols can also be utilized in devising the arrangements through which the voters signal their opinions. Arrangements aimed at assuring secrecy are of special importance as regards elections through a network.

In secret balloting systems the transmission of messages should be secured against eavesdroppers. Moreover, in some cases also authentication is needed. We assume that these requirements are taken care of and focus the attention on specific issues dealing with balloting. In particular, we consider the following four issues, (i) Only legitimized voters should cast a vote, (ii) The ballots should be kept secret, (iii) Nobody is allowed more than one vote, (iv) Every voter should be able to verify that his/her vote has been taken into account in the computation of the electoral outcome. A protocol satisfying (iH>^v) is effective against at least the most obvious forms of electoral fraud.

A straightforward protocol would be based on an agency that checks the legitimization of each voter, and computes and publicizes the electoral outcome. Assume, further, that each voter sends a secret identification number together with the vote and that the outcome is publicized by issuing a list of sets

(*) , R2> ■ ■ ■, Rt ■>

where R_t, 1 < i < k, is the set of secret identifications of those voters who voted for the i-th candidate or, more generally, adopted the i-th voting strategy. Then the conditions (i)—(iv) are satisfied with the exception that (ii) is violated in the sense that the agency knows how each voter voted. This violation becomes impossible if there are two agencies: one for legitimization (L) and, the other, for computing and publishing the outcome (C). The agency L sends to the agency C the set N of all identification numbers of voters but there is no further contact between the two agencies. Then protocol for a voter A is as follows.

Step 1: A sends a message, for instance, "hello I'm A" to L.

Step 2: If A is allowed to vote, L sends an identification number i(A) to A and also removes A from the set of electors. If A is not allowed to vote, L sends a message "reject" to A.

Step 3: A chooses a secret identification s(/4) and sends C the triple (/(A), v(A), s(/l)), where v(A) is /I's vote.

Step 4: C finds out whether or not i(A) is in the set N. If it is, C removes i(A) from N and adds s(/l) to the set of electors who voted for v(A). If it is not, C does nothing.

Step 5: At a previously specified time, C computes and publicizes over the network the outcome, as well as the list (*).

To add security, some public-key cryptosystem may be used in Steps 1-3. Messages are sent authenticated and encrypted by the receiver's public encryption key.

A person B who is not a legitimized voter may try to cheat by guessing an identification number i(B). Similarly, a legitimized voter A may try to cheat by guessing further identification numbers. Such attempts are not likely to succeed if proper identification numbers are sparse among all conceivable numbers, say, 10⁶ identification numbers are distributed among the 10¹⁰⁰ first integers. If identifica­tion numbers are defined to be numbers of the form lOn + i„, n = 1, 2,. . . , where i„ is the H-th decimal in the decimal expansion of n, they are not sparse enough.

The above protocol is vulnerable to the collusion of agencies L and C. Clearly, the combined knowledge of L and C discloses how each voter voted. A much more sophisticated protocol is needed to overcome this difficulty. The protocol is based on the secret selling of secrets discussed in Section 6.5. Since the agencies cheat by cooperating, we assume as well that there is only one agency C which replaces L in the above protocol. The only other difference is that in Step 2 an eligible voter A "buys" secretly from C an identification number. This means that all possible identification numbers are publicized by C in an encrypted form. C then decrypts one of them for A but does not know which one. The probability of two voters buying the same number can be made negligible by choosing much more encrypted numbers than there are voters. On the other hand, even the encrypted numbers should be sparse among the numbers the electors might guess.

It is to be added that the agency C is not at all needed if ideas presented in Section 6.4 are used. A more detailed account of secret balloting systems will be given in Section 6.10.

Date: 2015-02-16; view: 846