Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Voting Systems CSCI 283-172 Fall 2010 GW. Outline Current voting technology, limitations Cryptographic approach; paradigm shift “End-to-end” voting.

Similar presentations


Presentation on theme: "Secure Voting Systems CSCI 283-172 Fall 2010 GW. Outline Current voting technology, limitations Cryptographic approach; paradigm shift “End-to-end” voting."— Presentation transcript:

1 Secure Voting Systems CSCI 283-172 Fall 2010 GW

2 Outline Current voting technology, limitations Cryptographic approach; paradigm shift “End-to-end” voting systems Electronic E2E voting systems?

3 Current Technology

4 Humboldt County, CA: voting machines dropped 197 votes – Wired, 12-8-2008 Florida’s 13th Congressional District (2006): One in seven votes recorded on voting systems was blank – US Government Accountability Office, 2-8-2008 Franklin County, Ohio: computer error gave Bush 3,893 extra votes in one precinct – WaPo, 11-6-2004 In a North Carolina County: 4,500 votes were lost –WaPo, 11- 6- 2004 In the world’s oldest continuous democracy

5 Voting Machine Analysis Kohno et al (2004): Diebold AccuVote-TS DRE* –Voters can cast unlimited votes without detection –Insiders can modify votes and match votes to voters Felten (2006) –"Hotel Minibar Keys Open Diebold Voting Machines Bishop, Wagner et al (2007): CA “Top to Bottom Review” –Voter can insert a virus into code –Virus can spread through the state’s election system And so on …. optical scan (Kiayias et al, 2007), Ohio voting machines OS + DRE (McDaniel et al, 2007); NJ DREs (Appel et al, 2009); *DRE: Direct Recording Electronic

6 Not possible to test large programs for the absence of errors –Cannot rely only on software software testing How do we know: what was tested = what was used? More exhaustive testing?

7 Software Independence

8 A voting system is software independent* if an (undetected) change or error in its software cannot cause an undetectable change or error in an election outcome. ≠ Don’t use software = Error-free software is not an assumption Should check the output of software *Rivest and Wack

9 Shift the Focus Audit the Election Not the Equipment Instead of checking –all the software, and –that it will perform several operations correctly every time Determine that only the tally is correct, only this time

10 Paper Back-Up Voter-Verified Paper Audit Trail (VVPAT) is SI (VVSG) Presidential Primary, San Mateo County, CA, 2008 Election All pictures on this slide: Joseph Lorenzo Hall http://www.flickr.com/phot os/joebeone/ Creative Commons 2.0 The views in this presentation are the speaker’s alone and should not be attributed to Hall At least “we” can count paper

11 Paper Ballot (also Puerto Rico) Paper Ballot and Punch Card Mixed Paper Ballot and DREs with VVPAT (also Hawaii and Alaska) DREs with VVPAT Mixed Paper Ballot and DREs with and without VVPAT Mixed Paper Ballot and DREs without VVPAT DREs without VVPAT Mechanical Lever Machines and Accessible Ballot Marking Devices Voting Technology: 2008 US Election Source: Verified Voting Foundation

12 no E-Voting Planning, trials, non- legally binding E-Voting Successful legally binding electronic voting with voting machines Successful legally binding internet voting Successful legally binding internet and electronic voting Stopped electronic voting with voting machines E-Voting.CC (Competence Center for Electronic Voting and Participation) (2009): Map of Electronic Democracy. In: Modern Democracy (2)/1. pp.8-9. URL: http://e-voting.cc/files/e-voting-map-2010

13 Assumptions (Lowry and Vora, 2010) Secure Chain of Custody –Of audit trail Procedures are Followed –Follow procedure, count/recount correctly Randomness* –Audits include element of randomness not predictable by voting system Usable/Human-Error-Resistant Auditability* –Auditability (e.g.: VVPATs) aspects easy to use * Assumptions pointed out by John Kelsey

14 At least “we” can count paper BUT Everyone cannot use paper Inefficient –Recall how long it took to declare the final result of the 2008 Minnesota Senate election, 2010 Alaska Senate election To be fair: may be inherent in the manner in which paper is marked, often difficult to determine voter intent Potentially inaccurate counts and recounts Problems of integrity remain “we” = persons with privilege Still need to secure cast ballots till counting: i.e. maintain secure chain of custody Need physical presence during counting Can we distribute the burden of a secure chain of custody: can the voter keep a part of the paper trail? Can the tally be counted in a virtually-verifiable manner?

15 ATM Receipt: Solution? } Essential trade-off Anyone can verify tally Complete Transparency! No ballot secrecy Photo credit: Joseph Lorenzo Hall http://www.flickr.com/photos/joebeone/ http://www.flickr.com/photos/joebeone/ Creative Commons 2.0

16 Coercible Evidence used to catch cheating system can also be used to sell vote: voter possesses evidence that can be used to prove how she voted Photo credit: Joseph Lorenzo Hall http://www.flickr.com/photos/joebeone/ http://www.flickr.com/photos/joebeone/ Creative Commons 2.0

17 Cryptographic Voting Systems

18 1. Voter Casts Encrypted Vote and Takes Copy out of Polling Booth 2. Voter Checks Receipt on Website/Newspaper Encrypted Paper Trail Lok Sabha Elections 2009 Parliamentary Constituency: Gandhinagar Receipt No: 7151058 X897

19 First Approach: Mixnet-Based Invention of secure electronic voting Chaum (1981)

20 Mixnet: Public key encryption/decryption A vote, v j, is encrypted using the public keys of several mixes: E pubn (r n, v j )E pubn-1 (r n-1, () E pub1 (r 1, (……) Receipt = i th mix gets: (E pubi (r i,... (E pubn (r n, v j )))…) decrypts with private key, discards r i, shuffles

21 3. Votes are decrypted and shuffled 34W1 AC1U HY40 9IK1 2LS7 B8OH 5TJG DEV6 5GXT NZ2Q LN04 S43R 77JH MBFD AZ9J LOQ1 Thakor Advani Thakor Advani Thakor Advani On public website: anyone can compute tally Partial decryption using assymetric-key cryptography

22 4. Tally Audit Public audit, using public information –information not restricted to persons of privilege Efficient tally audits that are not zero-knowledge –Jakobsson, Juels, Rivest (2002) –Chaum (2004) Less efficient ZK audits –Sako and Kilian (1995) Voting protocols can protect –tally integrity or vote secrecy (but not both) –against an adversary who can break the cryptography

23 For Example: Tally Audit (Not ZK) Jakobsson, Juels, Rivest (2002) 34W1 AC1U HY40 9IK1 2LS7 B8OH 5TJG DEV6 Thakor Advani Thakor Advani Thakor Advani On public website: anyone can check opened commitments * * * * * * * * 5GXT NZ2Q LN04 S43R 77JH MBFD AZ9J LOQ1 Chosen mix reveals r i and the corresponding input/output; anyone can check correspondence using public key

24 Second Approach: Homomorphic Encryption First proposed by Cohen (now Benaloh) and Fischer (1985)

25 Homomorphic Voting Baudron et al (2001) Simple Example: two candidates Paillier public-key system: public g, N m encrypted as g m r N mod N 2 i th voter encrypts vote: v i =0 or v i =1 as g v i r i N mod N 2 Voter provides zero-knowledge proof that he has cast a vote for one of “1” or “0” –And not for “3”, or “1000” or “-100” etc

26 Homomorphic Tallying Voting system multiplies all encryptions to obtain g  v i (  r i ) N mod N 2 Decrypts with private key to obtain  v i mod N –And reveals (  r i ) N  vi is number of votes for “1” Decryption correctness can be verified by anyone using public key

27 The story so far (in 2002) … Very interesting theoretical results Chaum (1981), Cohen (now Benaloh) and Fischer (1985), Benaloh and Tuinstra (1994), Sako and Kilian (1995), –Relevant: zero-knowledge proofs and interactive/non-interactive proofs (e.g. Goldwasser-Micali-Rackoff (1985) ) –Efficient algorithms for secure multi-party computation BUT: these assume voters are probabilistic-polynomial-time Turing machines –Voters can encrypt in their heads –Voters have access to trusted machines for encrypting votes Encryption on trusted machines –Cannot use in polling booth –Cannot use to vote from home: Home PCs can have viruses Adversary can threaten or bribe voter

28 Trusted encryption without trusted encryption device?

29 End-to-end-independently-verifiable (E2E) Voting Systems Chaum (2003-4), Neff (2004) Voters need not trust encryption device (all following have prototypes): Paper Ballots –Prêt à Voter (Ryan et al, 2005, Univ. of Surrey, Newcastle Univ., UK) –Punchscan (2006, Chaum, GW, UMBC, UOttawa) First voter-verifiable binding election (grad student election at Univ. Ottawa, 2008) Grand prize winner, International Voting System Competition VoComp, 2008 –Voting Ducks (Wroclaw Univ. of Technology, Poland) Electronic Ballots –Simple Verifiable Voting (Benaloh, 2006) –VoteBox (Sandler and Wallach, Rice Univ., 2008) –Helios (remote voting system, Adida, MIT/Harvard, 2008) Recteur, Catholique Universite, Louvaine, Belgium (2009) Princeton Undergraduate student government (2009) Rijnland Internet Election System (RIES, remote voting system) –Netherlands governmental elections (2004, 2006) –coercible

30 Use notion of commitment Alice commits to a value x by giving to Bob a value y such that: –Bob does not know x and –cannot determine it from y. At a later time Alice can open the commitment by revealing the value x and some r, such that: Bob will know she hasn’t changed x since she committed to it by checking a relationship between x, r and y Example: y = E pub (x || r)

31 General E2E Protocol Before election: System commits to any parameters, and makes public keys etc Voting (interactive): 1.Voter commits to whether he will audit or cast this vote 2.Voter provides vote 3.System provides encryption 4.If audit Check encryption; Go to 1 Else Cast encrypted vote After election: System posts encrypted votes; voters check System provides tally and encrypted audit trail Tally audit (interactive)

32 E2E Paper Ballot Systems Ballots cleverly designed: –voter encrypts vote by marking special paper ballot –voter and voting system in an interactive protocol on a write-once tape: Some use a commitment-based back-end that uses more efficient symmetric-key encryption

33 Example “Front (Encryption) Ends” of Paper-Ballot Systems

34 General Description  = (V, R, K, E, D) f: S  K r = (s, x, E(f(s), v) ) r: receipt s: serial number x: decryption information, commitments f(s): key v: vote Given s and k, should be able to check that f(s)=k

35 Chaum (2004): Visual Cryptography First complete technical description, Vora (2004) First non-commercial implementation of a voter-verifiable system: Hosp et al (2004) Ballot consists of two layers. Voter takes one home. It should reveal nothing about his vote Pictures from Stefan Popoveniuc, PhD Dissertation, GW, 2009

36 Details Receipt = (s a, x a, v  k a ) x a : decryption information, commitments k a = F(Sign(s, p a )) is key for chosen layer a p a is private key for layer a F is PRNG Receipts (s a, x a, v  k a ), (s ā, x ā, v  k ā ) Voter checks that: s a = s ā v=r a  r ā ra is the set of pixels on the receipt, and includes v  k a and k ā Symmetric proof receipt

37 Punchscan (Chaum, 2005) GW: Implementation (2006) Picture from Stefan Popoveniuc, PhD Dissertation, GW, 2009 First voter-verifiable binding election (grad student election at Univ. Ottawa, 2008: UOttawa, UMBC, GW) Grand prize winner, International Voting System Competition VoComp, 2008

38 Receipt f(s) =  a  ā No additional decryption information Symmetric

39 Photo by Alex Rivest Scantegrity II (2008) UMBC, GW, MIT, Waterloo, UOttawa

40 Receipt f(s) = an AES encryption key No decryption

41 Example: Prêt à Voter Encryption Ryan et al, 2005 Picture from Stefan Popoveniuc, PhD Dissertation, GW, 2009 BallotReceipt 1. System encrypts vote 2. Voters can choose to audit the encryption or cast it 3. Audit ballot by opening onion 4. Vote should decrypt to one for Buddhist “Onion” Pseudo-random Candidate Ordering X

42 Example: Prêt à Voter Tallying Ryan et al, 2005 Picture from Stefan Popoveniuc, PhD Dissertation, GW, 2009 BallotReceipt Permutation is composition of several permutations, one for each mix Onion contains seeds for each permutation, encrypted as a mixnet message Mixes each:  decrypt onion  undo permutation  pass on rest of onion “Onion” Pseudo-random Candidate Ordering

43 Example: Commitment-Based Back-End Part of Punchscan system, Chaum et al (2004) Picture from Stefan Popoveniuc, PhD Dissertation, GW, 2009 Ballot Punchscan has a different front-end  explanation on PaV front-end for simplicity Retain composition of permutations Instead of onion, a serial number Instead of mix, set of commitments to:  permutations  position in the shuffle More efficient than public-key decryption “Onion” Pseudo-random Candidate Ordering

44 Properties Not many rigorous definitions Most apply to single voting systems

45 Desirable Property I: Auditability A voting system is auditable if it provides evidence  about an election, to* voters and the general public  that can be used to determine the correctness of the election outcome. Evidence provided to: Voters: Voter-auditable Public: Publicly-auditable VVPAT records voter-auditable. Publicly-auditable if recounts are performed in public. * First recommended to us by Stefan Popoveniuc

46 Desirable Property II Ballot Secrecy  Incoercibility A voting system is incoercible if additional information provided by the voting system (and the procedures/process for using it), combined with any evidence provided by the voter, does not improve an adversary’s guess on how the voter voted.  Ballot secrecy in spite of cooperation between adversary and voter

47 End-to-End Independently-Verifiable Lowry and Vora (2009) A voting system is end-to-end independently-verifiable if an independent, honest observer can determine— with virtual certainty —whether a declared election outcome correctly represents the votes cast by voters. To the extent that the observer is required to trust: –entities, software or hardware, he or she should be able to choose said entities, software or hardware – procedures*: these should be limited to those for vote casting, and be publicly observable (rationale: voter can complain if procedures not followed for her own vote) *Andy Regenscheid noticed that procedures need to be mentioned

48 Voter-Verifiable A process is voter-verifiable if an honest voter can determine—with virtual certainty—whether the process was correctly carried out. To the extent that the voter is required to trust: –entities, software or hardware, he or she should be able to choose said entities, software or hardware – procedures: these should be limited to those for vote casting, and be publicly observable

49 Universally-Verifiable A process is universally-verifiable if an honest observer can determine—with virtual certainty—whether the process was correctly carried out. To the extent that the observer is required to trust: –entities, software or hardware, he or she should be able to choose said entities, software or hardware – procedures: these should be limited to those for vote casting, and be publicly observable

50 Honest Observer’s Point of View Independent honest observer notes that: Ballot-casting is voter-verifiable –Voters verify some information about votes that comes out of voting process Tally-processing is universally-verifiable –Voting system computes tally from this information in a universally-auditable manner Then is virtually convinced that the election outcome is correct

51 AuditableVoter Auditable Publicly Auditable Voter- Verifiable Universally Verifiable Paper + manual recount  ×  If recount public ×× DRE××××× DRE + VVPAT  If recount public ×× E2E  Tally Processing Comparison: Auditability

52 Auditability Requires (Publicly Unobservable) Procedures Correctly Followed Auditability Requires Secure Chain- of-Custody Software Dependent Paper + manual recount Yes No DRENot AuditableYes DRE + IVVR Yes No E2ENo Comparison: Auditability Assumptions

53 Scantegrity II Takoma Park Municipal Election: 2009 Scantegrity II front end + Punchscan back-end UMBC, GW, MIT, Waterloo, UOttawa

54 First fully-voter-verifiable secret-ballot governmental election November 3, 2009: Takoma Park, MD Mayor + 6 Council Members 1728 votes cast (10,934 registered voters) Candidates were ranked by voters (instant runoff voting) Unique: –Public audit of tally –Open-source –Fully-verifiable by voters

55 Photo by Alex Rivest Scantegrity II (2008) UMBC, GW, MIT, Waterloo, UOttawa

56

57 Website Verification Immediately after election (10-11 pm) –Scantegrity count announced –Codes made available online 81 unique ballot verifications, 64 before Takoma Park complaint deadline (Nov. 6) One complaint –Codes not clear enough for one voter –Voter noted “0” –Scantegrity website said “8” –Voter trusted Scantegrity code was correct –Audit check later revealed Scantegrity code was correct

58 Audits: (Closed) Manual Vote Count November 5, afternoon Jointly by Scantegrity and Takoma Park Corroborated Scantegrity total Few differences, due to difference between: –machine reading (by scanner) and –human determination of voter intent Election certified at 7 pm. –by Chair, Board of Elections, to City Council

59 Audits: Encryption Audit Lillie Coney* Audited ballots through the day Chose about 50 ballots at random Exposed all confirmation codes Took home copies of marked ballots Checked them against commitments when opened after election With familiarity, voters, including candidate representatives, can do this too * Associate Director, Electronic Privacy Information Center and Public Policy Coordinator for the National Committee for Voting Integrity (NCVI)

60 Audits: Digital Audit Trail Dr. Ben Adida* and Dr. Filip Zagórski + –Audited the entire digital audit trail and independently confirmed tally correctness –Provided their own copy of confirmation codes for voter check –Pointed out discrepancies in documentation * Helios and Center for Research on Computation and Society, Harvard University + Institute of Mathematics and Computer Science, Wroclaw University of Technology, Poland

61 Universally Verifiable Anyone can perform the audits performed by Adida and Zagórski –BoE Chair expects other voters will, using software provided by Adida and Zagórski –Voters can write their own software, using Scantegrity public spec

62 Limitations Bulletin Board (website) needs to be secure –Ensure that it doesn’t present one code to voters, another to auditors –Adida and Zagórski made copies, requested voters to check –All information on website signed, but voters need to check signatures The cryptographic protocol does not prevent ballot stuffing, we had to use procedures Paper ballots are inaccessible to those with motor and visual disabilities

63 Electronic E2E Elections?

64 Electronic Audit Voter: “Vote for Bob” System prints encryption and signs it Voter: “I want to audit this encryption” System shows that it encrypted vote for Alice Voter knows system cheated, but no proof of “Vote for Bob” Recall: paper-ballot E2E systems provide interactive protocol with write-once tape, proof of vote for audit X

65 Electronic Audit If we keep hard copy record, then has to be destroyed if voter chooses to vote, not audit All public solutions to this problem require –Second channel for secret information to voter OR –Observers during audit: is this possible without voting system detecting an audit?

66 Open Problems Secure bulletin board with minimal voter involvement Techniques For: –Prevention of ballot-box stuffing –Outcome correctness independent of number of voters who check (Nandi and Vora, ICISS 2010, to appear) Electronic E2E systems Rigorous (cryptographic) statements; proofs of protocol properties Formal protocol models, formal verification –Crypto only useful for audit, not for prevention of fraud Reliability and recovery Accessible systems, including the ability of voters with visual disabilities to check outcome

67 Acknowledgements Collaborators: Carback, Chaum, Clark, Essex, van de Graaf, Hall, Hosp, Lowry, Nandi, Popoveniuc, Rivest, Ryan, Shen, Sherman At NIST: Hastings, Kelsey, Laskowski, Peralta, Popoveniuc, Regenscheid Help with Takoma Park election: City Clerk and Board of Elections, Takoma Park Independent auditors: Adida, Coney, Zagórski Survey: Baumeister Others: Florescu, Jones, Relan, Rubio, Sonawane, Support: NSF IIS 0505510, NSF CNS 0831149, NSF CNS 0937267NSF IIS 0505510NSF CNS 0831149NSF CNS 0937267 School of Engineering and Applied Science, GW: start-up funds


Download ppt "Secure Voting Systems CSCI 283-172 Fall 2010 GW. Outline Current voting technology, limitations Cryptographic approach; paradigm shift “End-to-end” voting."

Similar presentations


Ads by Google