1. Field of the Invention
The present invention relates to the general field of security of services accessible through a digital data transmission network, and more specifically to the field of electronic signature.
It notably, but not exclusively, applies to electronic voting or even to electronic petition.
2. Description of the Related Art
The electronic signature of a message implements a mechanism pertaining to so-called asymmetric cryptography: the signatory, who has a secrete or private key and an associated public key, may produce a message signature by means of the secrete key. To verify the signature, it is sufficient to have the public key.
In certain applications like electronic voting, the signatory should be able to remain anonymous. For this purpose, the so-called anonymous electronic signature has been developed enabling with the help of a public key to determine whether the signatory of a message has certain rights (rights to sign the message, rights to have the secrete key used for signing the message, etc.) while preserving the anonymity of the signatory. In addition, in voting or electronic petition applications, each authorized person should be able to sign only once.
Among anonymous signatures, there is also what is called the blind signature allowing a person to obtain a signature of a message from another entity, without the latter having to know the contents of the message, and being able to establish later the link between the signature and the identity of the signatory. This blind signature solution therefore requires the intervention of an intermediate entity who produces the signatures. In applications such as voting and electronic petition, each solution involves an empowered authority who signs the vote of each voter or the petition for each petitioner.
The concept of a group signature has also been proposed which enables each member of a group to produce a signature so that a verifier having an adequate public key may verify whether the signature was issued by a member of the group without being able to determine the identity of the signatory.
This concept is described for example in document:
[1] “A Practical and Provably Secure Coalition-Resistant Group Signature Scheme”, of G. Ateniese, J. Camenisch, M. Joye and G. Tsudik, in M. Bellare, Editor, Advance in Cryptology—CRYPTO 2000, vol. 1880 of LNCS, pp. 255-270, Springer-Verlag 2000.
However, in this concept, a reliable authority may at any moment break this anonymity and determine the identity of a person of the group having issued a signature. In addition, this type of signature is said to be “non linkable”, i.e. it does not allow one to determine whether two signatures were or not issued by the same person, without breaking the anonymity of the signature. Group signatures are used in many applications, such as electronic auctions, electronic cash, or even electronic voting. Group signature is utterly unsuitable for the latter application as it authorizes a reliable authority to access the identity of a signatory, and it does not allow the linking of two signatures issued by a same person without determining the identity of the signatory. In addition, document [1] does not provide any process for revoking a member of the group.
To remedy the latter drawback, document [2] “Efficient Revocation of Anonymous Group membership Certificates and Anonymous Credentials” of J. Camenisch and A. Lysysanskaya, published by Cryptologie ePrint Archive IACR, 2002, provides the adding of a revocation process to this concept (this document will also be published by M. Jung, Editor CRYPTO 2002, Springer-Verlag 2002). However, this solution does not provide a solution to the problems of preserving the anonymity of the signatory, and “linkability” of two signatures.
In an electronic voting application, it is further necessary to ensure security approaching traditional voting at the very most, in order to guarantee the following properties.
Nobody should be capable of knowing the results of the poll even partially before its closing. Everybody should be able to be persuaded of the validity of the final result of the poll. Finally, an empowered authority should be able to withdraw or revoke the voting right of a person.
Whether one is dealing with off-line voting, i.e. with the use of an electronic voting machine, set up in a polling station or in on-line-voting, i.e., remotely, via the Internet network for example, the presently proposed systems, using a group signature as described in document [1] and completed in document [2], do not meet these conditions, except for revoking the right of signature.
Moreover, application of the blind signature concept to electronic voting is a solution for which implementation is awkward, as the voter is compelled to logon several times at each election. In addition, if the poll backfires, the person responsible for this cannot be determined: either a voter or the organizer of the poll.
The concept of mixer networks has also been proposed, notably in document [3] “Untraceable Electronic Mail Return Addresses and Digital Pseudonym” of D. Chaum, ACM 1981, each mixer being a function producing a list of numbers decrypted from a list of encrypted numbers, while concealing the match between the encrypted and decrypted numbers. Applied to electronic voting, this technique has the major drawback of not allowing the validity of a vote to be verified without compromising the secret thereof.
In document [4] “A secure and Optimal Efficient Multi-Authority Election Scheme”, of Cramer, Gennaro, and Schoenmakers, Eurocrypt'97, LNCS—Springer-Verlag, so-called homomorphic encryption is described enabling basic calculations to be performed on encrypted numbers. Solutions based on this method however are not applicable to polls involving a large number of voters.