Information-Theoretically Secure Voting Without an Honest Majority

Information-Theoretically Secure V oting Without an Honest Ma jorit y Anne Broadb ent and Alain T app D´ epartement d’informatique et de rec herche op´ erationnelle Universit ´ e de Mon t r´ eal, C.P . 6128, Succ. Centre-Ville Mon tr´ eal (QC), H3C 3J 7 Canada { broadb ea, tappa } @iro.umontreal.c a Abstract. W e present three voting proto cols with un conditional priv acy and information-theoretic correctness, w ithout as suming a ny b ound on the num b er of corrupt voters or voting authorities. All protocols hav e p olynomial complexity and require priv ate c hann els and a sim u ltaneous broadcast c hann el. Our first proto col is a basic voting scheme which al- lo ws v oters to interact in order to compute the tally . Priv acy of the b allo t is u n conditional, but any vo ter can ca use the protocol to fail , in whic h case information ab out the ta lly ma y nevertheless t ranspire. Our s econd protocol introduces voting authorities whic h allo w th e implemen tation of the first proto col, while reducing the interactio n and limiting it to b e only b etw een voters an d authorities and among the aut horities them- selv es. The sim u ltaneous broadcast is al so limi ted to the authorities. As long as a single aut h orit y is honest, the priv acy is uncond itio nal, ho wev er, a single corrupt authority or a single corrupt vo ter can cause the proto- col to fail. Our final proto col pro v ides a safeguard ag ainst corrupt v oters by enabling a verification technique to allo w the authorities t o revok e incorrect votes. W e also discuss th e implemen tation of a simultaneous broadcast channel with the use of temp orary compu tational as sump- tions, yielding versions of our proto cols achieving everla sting securit y . Keywords: multipart y computation, election proto col, d ining cry ptog- raphers, in formation-theoretic security , election aut horities , ballot veri- fication. 1 In t r oduction Multiparty secure computation enables a gro up o f n participants to co llabo- rate in order to compute a function o n their priv a te inputs. Ass uming that priv ate rando m keys are shared betw een each pair of participants, ev ery func- tion can b e securely computed if a nd only if less than n/ 3 par ticipan ts ar e c o r- rupt; this fundamen ta l result is due to David Chaum, Claude Cr ´ ep eau and Iv a n Damg ˚ ard [CCD88] a nd to Michael Ben-Or, Shafi Goldwasser a nd Avi Wigder- son [BO GW88]. When a broadca st c ha nnel is av a ilable, the re s ults of T a l Rabin and Mic hael Ben-Or [RBO89] tell us that this pr opor tion can be impr o ved to n/ 2. 2 Anne Bro adb en t and A lai n T app Among a ll functions that can b e computed with these general-purp ose proto- cols, p erhaps the o ne that has the mo st ob v ious application is voting. If we ha ve a guara n tee on the prop ortion of honest participants, a secure v oting proto col based only on pairwise pr iv ate c hannels ca n b e implemented (if, in addition to this, we have a broadcast c hannel, then w e can tolerate more c heaters). Here, w e are in ter ested in the case where no such guar an tee is a v aila ble. The first pr otoco l for voting that is information-theor etically secure even in a pr e sence of a ma- jority of dishonest par ticipan ts was pr esen ted in [B T07 ]. Along with the use of priv ate communication, the proto col uses a simultaneous broadcast channel. In this extended a bs tract, we fir st give a new presen tatio n of the or iginal proto col, follow ed b y tw o protoco ls which present sig nifican t improv ements on the original one. Although our initial motiv ation was of theor etical na tur e, we b eliev e that this work may lead to int eresting practical applications. All three proto cols ar e obtained from t wo simple yet powerful observ ations . First, if the dinning cryptographer ’s proto col [Cha88] is used to compute the parity function and is implement ed with a sim ultaneo us bro a dcast channel, then it is p erfect. The second o bserv a tion is that if a string of n bits is shared among n participants is s uc h that the parity o f the n bits is random (and unknown), then it is imp ossible for an y strict s ubset o f participants to lo cally derandomize this parity . In our first proto col, w e assume that each pair of v o ters is connec ted by a pr iv ate authen tic c hannel. In our second a nd third protoco ls, we relax this assumption b y introducing voting authorities . The assumption then becomes that there are priv a te and authen tic c ha nnels only b et ween v oter s and the authorities and among the authorities themselves. All three pro tocols require a simultaneous broadca st c hannel [CGMA85,HM05], which, for our purp ose, is a co llection of broadcas t channels where the input of one participant cannot dep end on the input of an y other participan t. This could be ach ieved if a ll participan ts simultane ously p erformed a broadca st. In t he con- text of our second and third proto cols, a simultaneous br oadcast among the authorities is sufficient. It is not uncommon in m ultiparty computation to allo w additional resour c es, even if these reso urces cannot b e implemen ted with the threshold on the ho nest participants (the r esults of [RBO89] whic h co m bine a broadca st channel with n/ 2 honest par ticipan ts b eing the most obvious example). Our work sugge sts that a sim ultaneo us bro adcast channel is a n interesting primitiv e to study in this context. F urther more, given a resour ce to implemen t bit commitment, we can implemen t a s im ultaneous broadca st: all participants commit to t heir v alues, and then all participants op en these v a lues. Since bit commitment can b e im- plement ed based on the laws o f relativity [Ken9 9] (or more pre cisely , bas ed on the p ostulate that information cannot trav el faster then the sp eed of light), we conclude that simult aneous broadcast can also be achiev ed in this mo del. I t may also b e p o ssible to directly implement a simultaneous bro adcast using the laws of relativity . Information-Theoretically Secure V oting 3 Since a simultaneous br oadcast channel can b e achieved using bit commit- men t, which itself can be implemen ted with computationa l assumptions, we can replace in all o ur protoc ols the use of a simultaneous br oadcast channel with tempo rary co mputational as sumptions. Our pro tocols then pr o vide everlasting security: as long as the co mputatio nal ass umptions a re no t bro k en during the execution of the pro tocol (more precisely , during the simulation of the simulta- neous broadcas t), the security o f the protoc ols is p erfect. Note that the priv acy of individual votes remains p erfect even if these computational ass umptions ar e broken during the proto col. 1.1 Common F eatures to All Proto cols Our voting proto cols inv o lve n voters, each cas ting a ballo t for a single choice among m candidates. The goal of the proto cols is to faithfully count the num be r of ballo ts in fav our of each candidate in such a way that voter’s ballots remain priv ate, honest ballots are coun ted and dis ho nest voters canno t influence the vote an y mor e than b y hone s tly v o ting. The proto cols w e pr esen t a re based on a techn ique pr esen ted in [BT07]. The first pro tocol involv es only the voters but the last tw o inv olve r voting authorities. In all protoco ls , dishonest pa rticipan ts can make the proto col fail (in our last proto col, only dishonest author ities can achiev e this). All three proto cols use pr obabilistic techniques to co rrectly ev alua te the tally for eac h candidate. F or this reason, the proto cols ar e only corre ct with probability 1 − 2 − Ω ( s ) , with s b eing a c hosen security par ameter. W e present our proto c ols in the regular setup where e ac h voter casts a ballot with a c ho ic e for a single candidate. Our protoc o ls can easily be ada pted to allow any num b er of voices p er ballot (a llowing, f or instance, eac h v oter to e ither choose t wo ca ndidates, or to vote t wice for the s a me candidate). W e can also add a dummy candida te to allo w voters to honestly cancel their ballots. 1.2 Summary of Res ults All three proto cols a r e exclusively ba sed on priv a te authentic c hannels and a simult aneous bro adcast c ha nnel. In the first pro tocol, no assumption is made o n the num b er o f honest voters a nd in the last tw o, the only ass umption is that at least one authority is honest. Under these assumption, our proto cols provide per fect priv ac y and correctness . This was believed t o be imp ossible [Gra08]. The ma jor dra wback is that any disho nest pa rticipan t can ma k e an y pr otocol fail (except in our third pr otocol, where only dishonest a uthorities can make the proto col fail). Proto cols 2 and 3 mak e use of voting authorities. If we group the author ities together, they a c t as a trusted thir d pa rt y , which means tha t co llectiv ely they can violate priv acy and correctness of the pr otoco l. How e v er , taken individually , bo th priv ac y a nd cor rectness are g uaranteed as long as a single authority is honest. This suggests that in pra ctice, authorities co uld b e chosen to represe nt different interest groups, with eac h voter needing to trust only a sing le a uthorit y (note that it is not necessa ry for the voters to trust the same autho r it y!). 4 Anne Bro adb en t and A lai n T app It is common in multipart y computation to compare an implemen tation of a functionality with its ide al funct ionality . This idea l functionality is repr esen ted as a black box, accepting priv a te inputs from each participant and priv ately communicating the function ev a luation on these pr iv ate inputs ba ck to each participant. W e now review the main features of each protoco l. Basic V oting (section 2) • Only voters are in volved in the proto col. • A coalition of dishonest voters can only lea rn through the protoco l what they would lea rn in the ideal functionalit y , and this even (and a lso) if the proto col fails. • A single dishonest voter can mak e the proto col fail. • If the proto col do es not fa il, then it is cons isten t with all ballots of the ho nest voters a nd some assignment of ba llots for the dishonest v oter s. • Dishonest voters cannot v o te a daptiv ely . V oting with Authoriti es (section 3) • V oters and a small num b er of authorities are inv olved in the proto col. • V oters only interact with authorities. • If at least one authority is hones t, a coa lition o f dishonest voters and au- thorities can only learn what they would learn in the ideal functionality , and this even (a nd also) if the proto col fails. • A single dishonest voter or authority can make the protoc ol fail. • If at least one author it y is honest and if the pr otocol do es not fail, then it is consistent with all ballots of the honest voters and so me as signmen t of ballots for the dishonest voters. • If at least one authority is hones t, a coa lition o f dishonest voters and au- thorities cannot vote a daptiv e ly . V oting with Authoriti es and V erification (sectio n 4 ) • V oters and a small num b er of authorities are inv olved in the proto col. • V oters only interact with authorities. • If at least one authority is hones t, a coa lition o f dishonest voters and au- thorities can only learn what they would learn in the ideal functionality , and this even (a nd also) if the proto col fails. • No coa litio n of voters alone can mak e the proto col fa il. • A single dishonest authority can mak e the proto col fail. • If at least one author it y is honest and if the pr otocol do es not fail, then it is consistent with all ballots of the honest voters and so me as signmen t of ballots for the dishonest voters. • If at least one authority is hones t, a coa lition o f dishonest voters and au- thorities cannot vote a daptiv e ly . • Dishonest voters v o ting inappropriately will ha ve their ballot revok e d. • A dishonest authority can c ho ose to revok e the ballot of a n honest v o ter. • When a ballo t is revoked, all voters and authorities know ab out it. Information-Theoretically Secure V oting 5 2 Basic V oting Proto col W e present a proto col that allows n voters to c o nduct an m -candida te vote. First, some notation: w e say that pa rticipan ts share a distribute d bit with value b if each participant holds a bit and the par it y (binar y XOR) o f all bits is b . Within a gro up o f n participants, w e say that a voter c onst ructs a distributed bit with v alue b if he cho oses b i ∈ R { 0 , 1 } such that L n i =1 b i = b and s e nds priv ately b i to participant i . The v alues { b i } ( i = 1 , . . . n ) are called shar es . F or now, v oter s create distributed bits among themselves. In sections 3 and 4, voters will crea te distributed bits among authorities. Our basic pro tocol is given as Protocol 1 . Proto col 1 Bas ic voting proto col Input: x i ∈ { 1 , . . . , m } and securit y parameter s Output: fo r k = 1 to m , y [ k ] = | { x j | x j = k }| Phase A (cast) F or eac h candidate k = 1 to m , 1. Eac h voter i sets the v alue of n 2 s bits p ij k ( j = 1 , . . . , n 2 s ) in the follo wing wa y: if x i 6 = k , then all bits are 0; otherwise, exactly ns bits (a fraction 1 /n of the tota l) are rand omly chose n suc h that p ij k = 1 and the rest such that p ij k = 0. 2. F or each j = 1 , . . . , n 2 s , eac h voter i constru cts a distributed bit with v alue p ij k . Let the shares of eac h distributed bit b e denoted { p ij kℓ } ( ℓ = 1 , . . . n ) Phase B (broadcast) F or every j and k , eac h voter ℓ , computes the parity of all received bits, q j kℓ = L n i =1 p ij kℓ . A ll bits are then simultaneously broadcas t. Phase C (tall y ) T o compute the tally , y [ k ], for each v alue k = 1 , . . . , m , eac h voter sets: v [ k ] j = L n ℓ =1 q j kℓ , σ [ k ] = P n 2 s j =1 v [ k ] j n 2 s and if there exists an integer v such that | σ [ k ] − p v | < 1 2 e 2 n , where p v = 1 2 ` n − 2 n ´ v ““ n n − 2 ” v − 1 ” , th en y [ k ] = v . If for an y m , no su c h v alue v ex ists, or if P m k =1 y [ k ] 6 = n , the protocol fails. The complexity of Proto col 1 is as follo ws: n voters each cr eate mn 2 s distributed bits, for a total of n mes sages of size mn 2 s . Pha se B requires a single simultaneous broadcast among n participa nts, each sending a message of size mn 2 s . Lemma 1. (Corr e ctness) If Pr oto c ol 1 do es not fail, the r esult of the vote is c onsistent with the vote of the honest voters and some non-adaptive choic e for the dishonest voters, ex c ept with pr ob ability ex p onential ly sm all in s . Pr o of. Our proto col is presented in a way that minimizes the num b er of messages sent by each voter; it is p erhaps best understo o d in tuitively in its sequen tial version. F r om this p oint of view, the following is re p eated n 2 s times. F or each candidate, voters create a distributed bit. The v alue of the distributed bit is 1 with probability 1 /n if this is the candidate the voter c ho oses and alw ays 0 6 Anne Bro adb en t and A lai n T app otherwise. All voters co mpute the X OR of all their sha res and the result will even tually b e simultaneously br oadcast. The proba bility that the par it y of the broadcas t v alue is 1 is directly pr opor tional to the num b er of voters voting for the candidate. By r epeating this pro cess with each ca ndida te n 2 s times, w e can gather enoug h statistics to compute the v o te exactly with v e r y high proba bilit y . The only place a voter can deviate from the proto col is by cr eating dis- tributed bits with an inappr opriate ratio of 0 and 1 v alues. W e firs t no te that if the co rrupted voters actua lly transmit the cor rect num b er of priv a te bits in phase A and bro adcast the correct num b er of bits in phase B , then what- ever they actually send is consistent with some glo ba l ratio of even and o dd distributed bits. The r atio of even and odd distributed bits, when XORed, will give rise to so me probability of an ev en or an o dd bit in the simultaneous broadcas t. It is possible to randomize the parity but not to der andomize it: the co rrupt participan ts altogether can increase the pro babilit y of an o dd broadcast but not make it smaller. Because v o tes for each candidate are added up for a consistency chec k , either the co rrupted voters mak e a consis ten t num b er of votes or otherwise the proto col will fail. The use of a sim ultaneous broadcast c hannel ensures tha t the voter’s inputs a re independent of eac h other. In the rest of the pro of, we g iv e a detailed analysis , using a Cher no ff-t yp e argument that the result of the vote will b e cor r ect with ov er whelming proba- bilit y . W e fix a v alue k and suppose that v voters hav e input x i = k . Thus we need to show that in Proto col 1 , y [ k ] = v , except with probabilit y exp onen tially small in s . Let us lo ok a t phase C o f the pr otoco l. Let p v be the proba bilit y that v [ k ] j = 1. F or v ≤ n , w e have p 0 = 0, p 1 = 1 n and p v +1 = p v  1 − 1 n  + (1 − p v ) 1 n . Solving this recurr ence, we get p v = 1 2  n − 2 n  v  n n − 2  v − 1  . (1) Thu s, the idea of phase C is for the participants to approximate p v by comput- ing σ [ k ] = P n 2 s i =1 v [ k ] j /n 2 s . If the a ppro ximation is within 1 2 e 2 n of p v , then the outcome is y [ k ] = v . W e first show that if suc h a v ex ists, it is unique. Clearly , for v < n , w e ha ve that p v +1 > p v . W e also ha ve lim n →∞ p n = 1 2 − 1 2 e 2 . Thus the differe nce b et ween p v +1 and p v is: p v +1 − p v = p v  1 − 1 n  + (1 − p ) 1 n − p v (2) = 1 − 2 p v n > 1 − 2 p n n > 1 e 2 n . (3) Hence if such a v exis ts, it is unique. W e now show that except with pr o ba- bilit y exponentially small in s , the corre ct v will b e chosen. Let X = P n 2 s j =1 v [ k ] j with µ = n 2 sp v the ex pected v a lue of X . The participants hav e co mputed σ [ k ] = X n 2 s . Information-Theoretically Secure V oting 7 By the Chernoff bo und, for an y 0 < δ ≤ 1, Pr[ X ≤ (1 − δ ) µ ] < exp( − µδ 2 / 2) . (4) Let δ = 1 2 e 2 np v . W e hav e Pr[ X ≤ µ − n 2 s 2 e 2 n ] < ex p( − n 2 s 8 e 4 n 2 p v ) (5) and so Pr[ σ [ k ] i − p v ≤ − 1 2 e 2 n ] < exp( − s 8 e 4 p v ) (6) Similarly , still by the C her noff bound, for any δ < 2 e − 1, Pr[ X > (1 + δ ) µ ] < exp( − µδ 2 / 4) (7) Let δ = 1 2 e 2 np v and w e get Pr[ X > µ + n 2 s 2 e 2 n ] < exp( − n 2 s 16 e 4 n 2 p v ) (8) and so Pr[ σ [ k ] i − p v > 1 2 e 2 n ] < exp( − s 16 e 4 p v ) . (9) Hence the proto col pro duces the corr ect v alue for y [ k ], except with probability exp onen tia lly sma ll in s . ⊓ ⊔ Lemma 2. (Privacy) In Pr oto c ol 1 , no gr oup o f c orrupte d voters c an le arn mor e than what they would have le arne d in the ide al functionality, and this even if the pr oto c ol fails. Pr o of. No assumption is ma de ab out the num b er o f dishonest voters. The case where a ll v o ters are cor r upted is trivially pr iv ate and in the c ase where o nly one voter is ho nest, his vote can b e deduced even in the ideal functionalit y . When more than one voter is honest, priv acy require s that, even if the tally of the honest voters is known, the individual ballots remain priv ate. In phase A , as long as at lea st one voter is honest, the v alue of each dis- tributed bit is per fectly hidden. In phase C , no information is sent. W e th us hav e to concentrate on phase B whe r e the voters broa dcast their informa tio n regar ding each parity . Let H b e the set o f honest voters. The dishonest voters learn L ℓ ∈ H q j kℓ but no information o n these individual v alues is r e v ea le d. The dishonest voters can thus only ev aluate the pro babilit y that this v alue is 1 but this informa tio n could be deduced from the o utput of the ideal fu nctionality , for instance b y fixing the corr upt par ticipan ts’ inputs to 1. ⊓ ⊔ It is impor tan t to note that the ab o ve results do not exclude th e possibility of corrupted voters causing the proto col to fail while still learning s o me information as stipulated in Lemma 2. This information c ould unfortunately b e used to ada pt the be ha vio ur of the c o rrupted v o ters in a future ex ecution of Proto col 1 . 8 Anne Bro adb en t and A lai n T app 3 V ot ing with Authorities In this se ction, we introduce a v aria tion o f the previous voting proto col. Our motiv ation is to reduce the mess a ge co mplexit y for the voters a nd reduce the need of priv ate channels by introducing a rela tiv ely small num b er of voting authorities and b y only requiring v oter s to c omm unicate with these authorities. Additionally , the sim ultaneous broadcast is only requir ed among the authorities. In this section and the following, we say that a voter constructs a distributed bit among the authorities if the voter cr eates a distributed bit as in sectio n 2 , except that the shares are distributed only among the authorities. Our pr otoco l is given as Proto col 2 . Proto col 2 V oting with author ities Input: x i ∈ { 1 , . . . , m } and securit y parameter s Output: fo r k = 1 to m , y [ k ] = | { x j | x j = k }| Phase A (cast) F or eac h candidate k = 1 to m , 1. Eac h voter i sets the v alue of n 2 s bits p ij k ( j = 1 , . . . , n 2 s ) in the follo wing wa y: if x i 6 = k , then all bits are 0; otherwise, exactly ns bits (a fraction 1 /n of the tota l) are rand omly chose n suc h that p ij k = 1 and the rest such that p ij k = 0. 2. F or each j = 1 , . . . , n 2 s , eac h voter i constructs a d istributed bit am ong the au- thorities with v alue p ij k . Let t he shares of each distributed bit b e denoted { p ij kℓ } ( ℓ = 1 , . . . r ) Phase B (broadcast) All au t horities ℓ , f or ev ery j and k sim ultaneously broadcast q j kℓ = L i p ij kℓ Phase C (tall y ) T o compu te the tally , y [ k ], for eac h va lue k = 1 , . . . , m , each participant sets: v [ k ] j = L n ℓ =1 q j kℓ , σ [ k ] = P n 2 s j =1 v [ k ] j n 2 s and if there exists an integer v such that | σ [ k ] − p v | < 1 2 e 2 n , where p v = 1 2 ` n − 2 n ´ v ““ n n − 2 ” v − 1 ” , th en y [ k ] = v . If for an y m , no su c h v alue v ex ists, or if P m k =1 y [ k ] 6 = n , the protocol fails. Eac h auth orit y broadcasts the outcome of the tally , if there is any disagreemen t, the protocol fails. The complexity of Proto col 2 is as follows: n voters eac h create mn 2 s dis- tributed bits, which are distributed among r authorities, for a total of nr mes- sages of size mn 2 s . Phase B requir es a single simultaneous broadcast among r authorities, eac h sending a message of size mn 2 s . Phase C requir es r broadca sts of size as most m lo g n . Lemma 3. (Corr e ctness) If at le ast one authority is honest, and if Pr oto c ol 2 do es not fail, the r esult of the vote is c onsistent with the vote of the honest vo ters and some non-adap tive c hoic e for the di shonest vo ters, exc ept with pr ob ability exp onential ly smal l in s . Pr o of. The pro of is o btained b y r eplacing voters by a uthorities a t the a ppro- priate place in pro of o f Lemma 1. It is imp ortant here that the corr ectness Information-Theoretically Secure V oting 9 probability only depends on s and not on the num b er of voters o r authorities. ⊓ ⊔ Lemma 4. (Privacy) In P r oto c ol 2 , if at le ast one authority is honest, no c ol lusion of di shonest voters and aut hori ties c an le arn mor e than what they would have le arne d in the ide al functionality, and this even if the pr oto c ol fails. Pr o of. The pro of is very similar to the pro of of Lemma 2. In Proto col 2 , par t of the work per formed by the voters in Proto col 1 is do ne b y the authorities. If at least one authority is honest, there is no wa y dishonest participants (v oters or authorities) ca n learn an y information ab out the v alue of the distributed bit created b y an honest v oter. The rest of the arg umen t is the sa me as in Lemma 2. ⊓ ⊔ Note that in Proto col 2 , an y participant can make the proto col fail. V oters can do this, for instance, by setting a n abnor mally high num ber o f distributed bits to 1, and authorities can do this by c hanging their inputs into the simultane- ous broa dcast. F urthermore, note that in Phase B , although the simultaneous broadcas t happ ens among the author ities, it is not a pro blem if the voters are passive listeners. A t the end of Phase C , the a utho r ities broadcast the result of the tally . W e r equired unanimit y of thes e messa ges in order to declare that the proto col has succeeded. 4 V ot ing with Authorities an d V er ification One o f the is sues with the previous tw o pro tocols is that any voter can cause them to fail b y introducing noise. In this section, we use the cut-and-c ho ose techn ique, augmented with an equality test, to allow authorities to revok e a noisy ballot. This is done by having each voter distribute many encrypted but ident ical votes , where a vote is k lists of n 2 s bits (as cr eated, for instance, in step 1 of Phase A of Proto col 2 ). A vote is c orr e ct if its conten ts corr espond to the cons truction of s tep 1 of Phase A of P roto col 2 , i.e. all bits are even except one candidate which has exactly ns bits sets to 1 . The authorities then op en half of the votes and verify the co rrectness; a subsequent step will ensure that the unop ened v otes are equal, th us providing ex ponential securit y . Our proto col is pr esen ted as Proto col 3 , in which the authorities use the following t wo simple r outines. R andom choic es: autho rities can generate common random bits in the follow- ing w ay . Each authority locally genera tes a random bit, after which all authorities simult aneously br o adcast these bits. The common random bit is set to b e the parity of the broadca s t bits. Obviously , this v alue is truly random if at least one a uthorit y is hone s t. This pro cess can be done in parallel, req uiring only one simult aneous broadc a st. Distribute d bit e qu ali ty: suppo se the authorities shar e tw o distributed bits. They can verify if these tw o distributed bits have the s ame v alue without re - vealing this v alue. Let a = L r i =1 a i and b = L r i =1 b i be the tw o distributed bits. 10 Anne Bro adb en t and A lai n T app Each authority i simultaneously broa dc a sts c i = a i ⊕ b i . If L r i =1 c i = 0 then the distributed bits are equal (unless an authorit y is c hea ting). A dishonest author- it y can make the proto col o utput the wrong ans w er, but under no circumstance will this pro cess reveal any information abo ut the v alues of a or b . Proto col 3 V oting with author ities and verification Input: x i ∈ { 1 , . . . , m } and securit y parameter s Output: fo r k = 1 to m , y [ k ] = | { x j | x j = k }| as w ell as a list of voters with rev oked ballots Phase A (randomness) The aut horities generate enough common random bits. Phase B (verification and vote casting) F or eac h vo ter: 1. Eac h v oter executes step 1 of Phase A of Protocol 2 , th u s creating one vote . 2. 2 s copies o f the vote are made, a nd for each v ote, the sh ares of the distribut ed bits are computed as in step 2 of Phase A of Protocol 2 (the shares are indepen den t ly randomly c hosen). 3. Eac h vote is encrypted with tw o random p ermutatio ns: the first p erm u tation changes the order of the k candidates, and the second p ermutatio n c hanges the or- der of the n 2 s distributed bits (the same permutation is applied for eac h candidate within a vote). 4. The shares of the encrypted v otes are distribut ed among the authorities. 5. The auth oritie s ra ndomly c ho ose s votes and simultaneously broadcast all bits inv olved in these votes. 6. If an y of the opened v otes is not correct, the voter’s ballot is revoked. 7. Eac h authorit y rev eals to the voter whic h v otes w ere opened . If the v oter receiv es inconsisten t mess ages, his ballot is revok ed. 8. F or the s remaining votes, the voter rev eals to t h e auth oriti es b oth the p erm u tation that was applied on the distributed bits and the p ermutation that was applied on the candidates. The authorities permute their shares of the remaining votes so that all v otes are equal. 9. The authorities p erform distribute d bit e quali ty tests betw een eac h distributed bit of the first remaining vote and al l corresponding distributed bits for all other remaining vo tes. If any of these tests fail, then t he voter’s b all ot is rev oked. I f all tests succeed, all but the fi rst remaining v ote are discarded. Phase C (broadcast and tall y) Phases B and C of Protocol 2 are p erformed with all remaining n on-rev oked v otes. Note that in Proto col 3 , any disho nest authority ca n mak e the pro to col fail and any author it y can dishonestly revoke any v o ter’s ballo t. The complexit y of Proto col 3 is as follows: each of the n v o ters sends r mes- sages of size 2 mn 2 s 2 for the v o tes (step 4) and r messag es of size n 2 s 2 log( n 2 s ) + sm log( m ) fo r the p erm utations (step 8 ). In order to g enerate enoug h r andom bits, the authorities are in volved in a single sim ultaneous broadcast of size n lo g(  2 s s  ) ∈ O ( ns ). F or the rest o f the proto col, the r authorities ar e in volved in s tep 5 in a simultaneous bro a dcasts of size mn 2 s 2 for each voter; in s tep 7, they require a mes sage of size s for each voter, and in step 9, they br oadcast Information-Theoretically Secure V oting 11 ( s − 1) mn 2 s bits. Phase C requir es one las t sim ultaneous bro adcast of size mn 2 s as well as r broadca s ts of size as most m log n . Lemma 5. (Corr e ctness) If at le ast one authority is honest, and if Pr oto c ol 3 do es not fail, then every b al lot that is not r evoke d is c orr e ctly c ounte d exc ept with pr ob ability exp onential ly smal l in s . Pr o of. The pr oof is identical to the pr o of of Lemma 3 . The verification o f the vote o nly ma k es the pro tocol more robust. ⊓ ⊔ Lemma 6. (Privacy) In P r oto c ol 3 , if at le ast one authority is honest, no c ol lusion of di shonest voters and aut hori ties c an le arn mor e than what they would have le arne d in the ide al functionality. Pr o of. T o see that priv a cy of the vote is guaranteed if at least one authority is honest, we first observe that phase B of the pr otocol do es not rev ea l infor mation ab out the voters’ ch oice; it o nly ensures corr ectness of the vote. Once this phase is done, the r est o f the proto col is iden tical to Proto col 2 and the same argument as in Lemma 4 can b e used here. ⊓ ⊔ As mentioned at the beg inning of this section, in Proto cols 1 a nd 2 , a voter can v o te in an inconsisten t w ay , c ausing the proto col to fail with very high probability . In Proto col 3 the votes are verified: if a vote is not corr e ct, there is only a probability exponentially small in s that the vote will not b e revoked. Thu s, dishonest voters can only make the proto col fail with exp onen tially small probability in s . W e formalize this b elo w. Lemma 7. (R obustn ess) No c o alition of voters c an alone make the pr oto c ol fa il, exc ept with exp onential ly smal l pr ob ability in s . Pr o of. The o nly w ay for a voter not to provide the corr e ct information in phase B is to g enerate incorrect votes. Since half of the votes are op ened, and the other half is chec ked for equa lit y , the only way for a voter to successfully provide an incorrect ballo t is for the s op ened v o tes to be correct and the s remaining votes to b e incorrect, yet identical. This ha pp ens with ex ponentially small probability in s . ⊓ ⊔ 5 Conclusion W e pr esen ted three v o ting scheme with unconditional security and information- theoretic cor rectness, without assuming an y bound o n the num b er of corrupt voters or v oting authorities. F or this to succeed, we had to assume pairwise priv ate channels and a s im ultaneous bro adcast channel (as discussed, this as- sumption can b e replaced by temp orary computational a ssumptions, yielding everlasting security). W e also had to allow a ny participant to cause the proto col to fail. F or tunately , w e w ere able t o relax some of the ab o ve assumptions in Proto cols 1 and 3 by in tr oducing a set of voting authorities. 12 Anne Bro adb en t and A lai n T app W e are c urren tly co nsidering a tra deoff b et ween the revoking p o wer of a uthor- ities and the correc tnes s of the proto col. This can b e ac hieved as a mo dification of Proto col 3 b y ra ndomly gro uping the authorities and by p erforming the proto col in parallel within each gr oup. Although o ur initial motiv atio n was o f theoretical na tur e, we believe tha t this work mig ht lead to in ter esting practical applications. Ac kno wledgemen ts The authors wish to thank S´ ebastien Gam bs for pro ofrea ding and Jero en v an de Graaf for suggesting that we write up a nd submit our ideas. References [BOGW88] M. Ben-Or, S. Goldwasser, and A . Wigderson. Completeness theorems for non-cryptographic fault-tolerant distributed computation. In Pr o c e e dings of the 20th annual A CM Symp osium on The ory of Computing (STOC) , pages 1–10, 1988. [BT07] A. Broadb ent and A. T app. Information-theoretic security without an hon- est ma jority . In Pr o c e e dings of the 13th International Confer enc e on the The ory and Applic ation of Cryptolo gy and I nformation Se curity (ASIA- CR YPT ’07) , pages 410–426, 2007. [CCD88] D. Chaum, C. Cr´ ep eau, and I. Damg ˚ ard. Multipart y unconditionally secure protocols. In Pr o c e e dings of the 20th annual ACM Symp osium on The ory of Computing (STOC) , pages 11–19, 19 88. [CGMA85] B. Chor, S. Go ldw asser, S. Micali, and B. Aw erbuch. V erifiable se cret sharing and achieving simultaneit y in th e presence o f faults. In Pr o c e e dings of the 26th annual IEEE Symp osium on F oundations of Computer Scienc e (F OCS) , pages 383–395, 1985 . [Cha88] D. Chaum. The dining cryp tographers problem: Unconditional sender and recipien t un t raceability . Journal of Cryptolo gy , 1:65–75, 1988. [Gra08] J. van de Graaf. Priv ate Comm unication, 2008. [HM05] A. H evia and D. Micciancio. Simultaneous broadcast revisited. In Pr o- c e e dings of the 24th annual ACM symp osium on Principles of distribute d c omputing , pages 324–333, 2005 . [Ken99] A. Ken t. Un conditionally secure bit co mmitment. Physic al R eview L etters , 83:1447 –1450, 1999. [RBO89] T. Rabin and M. Ben-Or. V erifiable secret sharing and m u ltiparty protocols with honest ma jori ty . In Pr o c e e dings of the 21st annual ACM Symp osium on The ory of Computing (STOC) , pages 73–85, 19 89.