Secure Remote Electronic Voting CSE-681 Fall 2006 David Foster and Laura Stapleton Laura StapletonLaura Stapleton

Motivation Current absentee ballot system requires a physical visit to the voting district authorities and one mailing or three mailings between voter and voting district authorities for every election Increase voter turnout of overseas military and citizens, disabled voters, out-of-state college students, younger citizens, traveling businessmen, etc. Increase confidence of election correctness by providing feedback to voters

Characteristics of a Secure Voting System CompletenessSoundnessPrivacyUnreusabilityEligibilityFairnessVerifiability

Threats to a Voting System Insider Attacks Denial of Service Vote Buying / Vote Coercion Virus

Cryptographic Functions Hash Digital Signature Blind Signature Verifiable Mixing Blind Commitment

Hash h = H(k 1, H(k 2, M) Used to ensure integrity of M Computationally infeasible to find a different values of M, k 1, or k 2 that yield the same hash output h k 1 and k 2 are random numbers to increase the strength of the resulting hash

Digital Signature Provides authentication and integrity Using RSA, signature C of H(M) using secret key d by C = H(M) d mod n Verify C by public key e by H(M) = C e mod n H(M) = C e mod n H(M) is hash of message M

Blind Signature Allows trusted authority to sign data that it can not see Encrypt message using random number k and trusted authority’s public key e by B = Mk e mod n B = Mk e mod n Authority signs with private key d by S = M d k mod n S = M d k mod n Blind signature extracted with k by C = (S / k) mod n = M d mod n

Verifiable Mixing Shuffle a list of encrypted data and pass it on to a second authority Second authority has no way to construct original order Any party can confirm all the original, unmodified data is present in the shuffled data, and no extra data was added No one but the shuffler has access to original list

Blind Commitment Prove to an authority that data has been created and fixed without supplying the data itself Data owner creates two random keys and calculates the hash h = H(k 1 || k 2 || M) Data owner sends k 2 and h to authority for safe keeping Data owner sends k 1 and M when data must be revealed and verified

Existing Systems Traditional (PCOS) Direct Record Electronic (DRE) Absentee VoteHere VHTi SERVE EVOX with Multiple Administrators

Traditional (PCOS) Precinct Counted Optical Scan Voter fills in circles on paper ballot Takes completed ballot to optical scanner in a sleeve Voter inserts paper ballot into scanner Optical scanner records are transported to central district for processing

Direct Record Electronic Ballot stored electronically, no paper ballot used Often use touch screens or push buttons Paper records may be printed internally during or after an election, but are not subject to voter verification Results usually reported on an electronic memory module or via modem

Absentee Registration requires a physical visit to the voting authority or a two-way mailing. Ballot and return envelopes are mailed prior to election. Voter completes ballot, encases it in an inner envelope, then mails it to the voting authority in an outer envelope up to the Saturday before Election Day. Voting officials open the outer envelope, shuffle inner envelopes, then remove and process ballots.

EVOX with Multiple Administrators Extension of EVOX system Reduces threat of insider attacks More than half of the available Administrators must validate each voter Commissioner Manager Administrators Anonymizer Tallying Server Voter Voter Voter

VoteHere VHTi DRE system Creates paper receipt for voter after casting the ballot Voter may verify that his/her ballot was correctly received by officials Anyone can verify correct tabulation of results

Generate receipt Unblind and decode results Choose columns for non-selections VoteHere Receipt Example AlBob Clive Dan Al Bob Clive Dan 0,4 3,5 2,2 4,1 NoNo Yes No Choose column for selection Blinded and committed ballot

SERVE Secure Electronic Registration and Voting Experiment intended for trials in 2004 election Developed as part of Federal Voting and Assistance Program (FVAP) Ruled too insecure by Security Peer Review Group Used Internet for transmissions and heavy use of public key cryptography

Proposed System SERVE’s cryptography EVOX with Multiple Administrators’ structure VoteHere’s public audit mechanisms Bootable CD and modem pool for increased security Commissioner Manager Administrators Anonymizer Tallying Server Modem Pool Voter Voter Voter

Registration Similar to absentee registration Propose allowing voters to establish a window for remote voting

Bootable CD Self-contained, minimal operating system and ballot information Private key and unique voter ID mailed with CD Mailed to voters several weeks ahead of time Voter may use CD to vote up until the Saturday before Election Day

Modem Pool Provides bridge between voting PCs and servers Compared to Internet, more resistant to Spoofing Spoofing DoS DoS Eavesdropping Eavesdropping

Administrators Maintains list of voter IDs, voter public keys, and optionally ballot type information (district, party, etc.) Each administrator receives a message for the blind commitment of the voter’s ballot E KAi+ (V, E KV- (H(k 1,i || k 2,i || B), k 2,i )) Commits and returns ticket to voter E KV- (E KT+ (E KAi- (H(k 1,i || k 2,i || B), k 2,i, D)))

Manager Signs list of administrators a voter used to validate the ballot Does not know which administrators were used Only signs one list per voter ID Voter sends E KM+ (V, E V- ( H(A||k 1,1 ||…||k 1,n ))) Returned ticket is E V+ (E KM- (H(A||k 1,1 ||…||k 1,n )))

Anonymizer Voter sends completed ballot, verification tickets, and keys to unblind data E KANON+ (V, E KV- (B, E KT+ (E KM- (H(A || k 1,1 || … || k 1,n )), E KT+ (E KA1- (H(k 1,1 || k 2,1 || B), k 2,1, D)),..., E KT+ (E KAn- (H(k 1,n || k 2,n || B), k 2,n, D)), k B, k 1,1,... k 1,n, A))))

Anonymizer Anonymizer uses the list of voter IDs and public keys to decrypt the message. It creates a list of voter IDs and partially unblinded ballots (B) for publication on the web. It creates a list of B’s and the tallying server tickets, shuffles via verifiable mixing, and moves the list to the tallying server.

Tallying Server Ballot data from Anonymizer has the form B, E KT+ (E KM- (H(A || k 1,1 || … || k 1,n )), E KT+ (E KA1- (H(k 1,1 || k 2,1 || B), k 2,1, D)),..., E KT+ (E KAn- (H(k 1,n || k 2,n || B), k 2,n, D)), k B, k 1,1,... k 1,n, A))) All information present is protected by the tallying server’s public key, and no information about the specific voter is needed to decrypt, unblind, or verify data.

Tallying Server Tallying server uses Administrator keys and supplies data to confirm the following: More than half of the Administrators signed the ballot. More than half of the Administrators signed the ballot. The Manager signed a list that matches the Administrator tickets submitted. The Manager signed a list that matches the Administrator tickets submitted. The voter submitted the appropriate type of ballot. The voter submitted the appropriate type of ballot. The allowed number of selections for each question was not exceeded. The allowed number of selections for each question was not exceeded. Unblinded ballots are converted to strings of “yes” or “no” and published to the web for public viewing.

Implementation Initially target overseas military and citizens (est. 6,000,000) Create option for domestic voters System scales linearly as number of voters increases

Conclusion Reduces number of communication steps between voting authorities and voters prior to the election Increases voting availability to several demographics Provides a more secure system than the prior systems Allows more voters to confirm accuracy of election process, generating confidence in the system