Presentation is loading. Please wait.

Presentation is loading. Please wait.

Prêt à Voter A brief (heavily biased) history of verifiable voting Bertinoro 2010P Y A Ryan Prêt à Voter1 Peter Y A Ryan University of Luxembourg.

Published byLitzy Dibb Modified over 9 years ago

Similar presentations

Presentation on theme: "Prêt à Voter A brief (heavily biased) history of verifiable voting Bertinoro 2010P Y A Ryan Prêt à Voter1 Peter Y A Ryan University of Luxembourg."— Presentation transcript:

1 Prêt à Voter A brief (heavily biased) history of verifiable voting Bertinoro 2010P Y A Ryan Prêt à Voter1 Peter Y A Ryan University of Luxembourg

2 Outline The problem. Brief history of verifiable voting Voter-verifiability. Overview of the Prêt à Voter approach. Vulnerabilities Evolution and counter-measures Conclusions. Bertinoro 2010P Y A Ryan Prêt à Voter2

3 Secure, distributed computing Abstractly, secure, verifiable elections can be regarded as a special case of secure, distributed computation. But “real” elections are different: –Voters typically won’t have computation power or expertise. –Elections need to be scalable, usable, understandable,……. Bertinoro 2010P Y A Ryan Prêt à Voter3

4 The Problem From the dawn of democracy it was recognised that people would be tempted to try to corrupt the outcome of elections. Highly adversarial: system trying to cheat voters, voters trying to cheat the system, coercers trying to influence voters, voters trying to fool coercers etc. In the US they have been using technological devices for voting for over a century: e.g., level machines since 1897, punch cards, optical scans, touch screen etc. Prompted by high instance of fraud with paper ballots. All have problems, see “Steal this Vote” Andrew Gumbel. Bertinoro 2010P Y A Ryan Prêt à Voter4

5 The problem! Bertinoro 2010P Y A Ryan Prêt à Voter5

6 “The Computer Ate my Vote” In the 2004 US presidential election, ~30% of the electorate used DRE, touch screen devices. Aside from the “thank you for your vote for Kerry, have a nice day” what assurance do they have that their vote will be accurately counted? What do you do if the vote recording and counting process is called into question? Voter Verifiable Paper Audit Trail (VVPAT) and “Mercuri method”. But paper trails are not infallible either. Bertinoro 2010P Y A Ryan Prêt à Voter6

7 The challenge Digital voting technologies hold out promise of accessible and efficient democracy. But there are dangers. Want high assurance that all votes are accurately recorded and counted-whilst maintaining ballot secrecy. The challenge is to reconcile these two conflicting requirements whilst minimising dependence on the components (booths, tellers,officials etc.) of the scheme. Bertinoro 2010P Y A Ryan Prêt à Voter7

8 Remote vs Supervised Important to draw a clear distinction between supervised and remote voting. In the former the voter casts their vote in enforced isolation, e.g., in a booth in a polling station. Remote voting, e.g., internet, postal etc. such isolation cannot be enforced. Hence dangers of coercion. The bulk of the talk will be about supervised, but we will venture into remote voting later. Bertinoro 2010P Y A Ryan Prêt à Voter8

9 Bertinoro 2010P Y A Ryan Prêt à Voter9 Hazards of e-voting!

10 Technical Requirements Key requirements: –Integrity/accuracy –Ballot secrecy –Receipt freeness –Coercion resistance –Voter verifiability: the voter should be able to confirm that their vote is accurately included in the count. –Universal verifiability: everyone should be able to verify the count. –Eligibility verifiability. –Availability –Ease of use, public trust, cost effective, scalable etc. etc….. Bertinoro 2010P Y A Ryan Prêt à Voter10

11 Assumptions For the purposes of the talk we will make many sweeping assumptions, e.g.,: –An accurate electoral register is maintained. –Mechanisms are in place to ensure that voters can be properly authenticated. –Mechanisms are in place to prevent double voting and ballot stuffing. –Existence of a secure Web Bulletin Board. –Crypto algorithms we use are sufficiently secure. –Etc. Bertinoro 2010P Y A Ryan Prêt à Voter11

12 Brief history –1981: Chaum: anonymising mixes and suggest application to voting. –1994(?) Benaloh/Tunistra: receipt-free scheme. –2003/4: Chaum: visual crypto scheme –Neff: VoteHere and MarkPledge. –2004: Ryan: Prêt à Voter –2005: Chaum: PunchScan –2007: Chaum: Scantegrity I –2007: Rivest: ThreeBallot –2008: Scantegrity II Bertinoro 2010P Y A Ryan Prêt à Voter12

13 Internet 2001: Chaum: SureVote-code voting. 2005: Juels et al: definition of coercion- resistance and token mechanism. 2007: Clarkson et al: Civitas 2008: Adida: Helios 2008/9: Ryan/Teague: Pretty Good Democracy. Bertinoro 2010P Y A Ryan Prêt à Voter13

14 Voter-verifiability in a nutshell Voters are provided with an encrypted “receipt”. Copies of the receipts are posted to a secure web bulletin board. Voters can verify that their receipt is correctly posted. A (universally) verifiable tabulation is performed on the receipts. Checks are performed at each stage to detect any attempt to decouple the encryption of the receipt from the decryption performed by the tellers. But, proofs provided to the voter of correct encryption of their vote must not be transferable. Bertinoro 2010P Y A Ryan Prêt à Voter14

15 Design philosophy –“Verify the election, not the system!” –Assurance of accuracy should be based on maximal transparency and auditability –Not on (claims of) correctness of code etc. –End-to-end verifiability. –Software independence. –Assurance by the people for the people! –As simple and understandable as possible. Bertinoro 2010P Y A Ryan Prêt à Voter15

16 Prêt à Voter Ballot forms encode the vote in familiar form (e.g. a  against the chosen candidate). The candidate list is (independently) randomised for each ballot form. Information defining the candidate list is buried cryptographically in an “onion” value printed on each ballot form. Bertinoro 2010P Y A Ryan Prêt à Voter16

17 Prêt à Voter Each ballot form has a unique, secret, random seed s buried cryptographically with threshold public keys of a number of tellers in an “onion” printed on the form. For each form, a permutation of the candidate list is computed as a publicly known function of this seed. The seed can only be extracted by the collective actions of tellers, or suitable subset if a threshold scheme is used. Bertinoro 2010P Y A Ryan Prêt à Voter17

18 Typical Ballot Sheet Obelix Asterix Idefix Panormix Geriatrix $rJ9*mn4R&8 Bertinoro 2010 P Y A Ryan Prêt à Voter 18

19 Voter marks their choice Obelix Asterix  Idefix Panoramix Geriatrix $rJ9*mn4R&8 Bertinoro 2010 P Y A Ryan Prêt à Voter 19

20 Voter’s Ballot Receipt  $rJ9*mn4R&8 Bertinoro 2010 P Y A Ryan Prêt à Voter 20

21 Florida 2000 Bertinoro 2010P Y A Ryan Prêt à Voter21

22 The voting “ceremony” Can be varied, but possible scenario: –Voter enters the polling station and takes a ballot form at random, sealed in an envelope. –The voter goes to a booth, extracts the ballot form and makes their mark. –LH strip is destroyed/discarded. –The voter leaves the booth with the RH strip, which forms the receipt, and registers with an official. –A digital copy, (r, Onion), of the receipt is made. The receipt is digitally signed and franked. Additionally, a paper audit copy can be made. –The voter exits the polling station with their receipt. Bertinoro 2010P Y A Ryan Prêt à Voter22

23 Checking and tabulation –Digital copies of the “protected receipts” are posted to the Web Bulletin Board. –The voters, or proxies, can visit the WBB and confirm that their receipt appears correctly. –An anonymising tabulation is performed on posted receipts: re-encryption mixes followed by threshold decryption. Bertinoro 2010P Y A Ryan Prêt à Voter23

24 Remarks The receipt reveals nothing about the vote Voter experience simple and familiar. No need for voters to have personal keys or computing devices. Votes do not communicate their choice to any device. Vote casting can be in the presence of an official (à la Française). Voters could be allowed to audit ballots of their choice. An encrypted paper audit trail can be incorporated. Works for ranked, STV etc (module “Italian” style attacks). Bertinoro 2010P Y A Ryan Prêt à Voter24

25 In Maths We Trust! All this is fine as long as we are happy to trust “The Authority”, the tellers etc. But we want to trust nobody, just trust in maths/cryptography. For the accuracy requirement: –Ballot forms may be incorrectly constructed, leading to incorrect encoding of the vote. –Ballot receipts could be corrupted before they are entered in the tabulation process. –Tellers may perform the decryption incorrectly. We now discuss the corruption/fault detection mechanisms. Bertinoro 2010P Y A Ryan Prêt à Voter25

26 Open audit A random selection of ballots are audited for well-formedness. Voters, or proxies, check that receipts are correctly posted on the BB. A verifiable, anonymous tabulation is performed on posted receipts, using partial random checking of Neff style ZK proofs. Bertinoro 2010P Y A Ryan Prêt à Voter26

27 Evolution Prêt is actually a suite of designs, driven by the identification of vulnerabilities and the search for greater flexibility, usability etc. Co-evolution of threats and requirements. Bertinoro 2010P Y A Ryan Prêt à Voter27

28 Decryption vs re-encryption mixes Early versions of Prêt use decryption mixes. Good for handling full permutations, but lack flexibility etc. –Re-encryption mixes are much more flexible and robust. –Can be rerun or run in parallel. –Mixers don’t need secret keys etc –Clean separation of mix and decryption. Newer versions use re-encryption mixes. Bertinoro 2010P Y A Ryan Prêt à Voter28

29 Vulnerabilities Chain of custody of ballots Ballot stuffing Chain voting “Italian” style attacks Retention of LH side Randomisation “social-engineering” psychological Kleptographic Key/entropy generation……. Bertinoro 2010P Y A Ryan Prêt à Voter29

30 Chain of custody Procedural mechanisms Need to protect secrecy and integrity Envelopes Anti-counterfeiting On-demand creation: Voter auditing, multiple auditing, dual ballots Bertinoro 2010P Y A Ryan Prêt à Voter30

31 Chain-voting Conceal “onion”, e.g. with scratch strip. Verified re-encryption of “onion”. On-demand generation of ballots along with logging serial numbers. Etc Bertinoro 2010P Y A Ryan Prêt à Voter31

32 Destruction of the LH side Procedural mechanisms Mechanical mechanisms Presence of decoy strips Slotted LH strip that falls apart. Markpledge style mechanism?-but hard to achieve without having to communicate choice to the device. Bertinoro 2010P Y A Ryan Prêt à Voter32

33 Randomisation Attacker demands the receipt has a special form, e.g. X in first place. Counter: have multiple ballots available, e.g. via “Benaloh” style auditing. Bertinoro 2010P Y A Ryan Prêt à Voter33

34 “social-engineering” Example: cut-and-choose into choose- and-cut. Counter: better user understanding, training. Simpler ceremonies. …. Bertinoro 2010P Y A Ryan Prêt à Voter34

35 Psychological Attackers convince voters that their receipt can be read. Counters: Educate voters Farnel/twin mechanism. Bertinoro 2010P Y A Ryan Prêt à Voter35

36 Kleptographic Device exploits some freedom in randomness to leak information via subliminal channels. Counters: Distributed generation of entropy. Pseudo-random, e.g. signature over serial number. Bertinoro 2010P Y A Ryan Prêt à Voter36

37 Socio-technical aspects Never achieve absolute security. Not enough to analyse the technical core. Need to balance technical and procedural mechanisms. Need to account for the “whole” system. Current systems not perfect-new systems need to be at least as good. Bertinoro 2010P Y A Ryan Prêt à Voter37

38 Conclusions Secure voting systems a dynamic area of research. Lots of open questions! Highly socio-technical in nature. Possibility of highly modular designs. Bertinoro 2010P Y A Ryan Prêt à Voter38

39 Future work On the current model: –Determine exact requirements. –Formal analysis and proofs. –Construct threat and trust models. –Investigate error handling and recovery strategies. –Develop a full, socio-technical systems analysis. –Develop prototypes and run trials, e.g., e-voting games! –Investigate public understanding, acceptance and trust. Bertinoro 2010P Y A Ryan Prêt à Voter39

40 Future work Beyond the current scheme: –Finalise remote, coercion resistant version (using “capabilities”). –Re-encryption mixes for general electoral methods. –Establish minimal assumptions. –Alternative sources of seed entropy: Voters, optical fibres in the paper, quantum…? –Alternative robust mixes. –Quantum variants. –Unconditional schemes? Bertinoro 2010P Y A Ryan Prêt à Voter40

41 OpenVeto (Hoa, Zielinski) Boardroom style: only open authenticated channels-no private channels. Suppose n members P i. Choose large prime p and a generator g of a subgroup order q of Z p *, q|(p-1). In which taking discrete logs is intractable. i.e. Usual El Gamal setting. Bertinoro 2010P Y A Ryan Prêt à Voter41

42 OpenVeto P i chooses x i at random and broadcasts:  i :=g xi plus ZK proof of knowledge of x i. After all have broadcast, each checks the ZK proofs and Pi computes:  i :=  j=1 i-1  j /  j=i+1 n  j P i now broadcasts: i :=  i xi + ZK proof if no veto :=  i ri + ZK proof random r i if veto Bertinoro 2010P Y A Ryan Prêt à Voter42

43 The outcome All compute:  j=1 n i =1 if no veto  1 if >0 veto If all choose r i =x i, the terms in the exponent cancel out. Note: could use crypto commitments in place of ZK proofs, but extra rounds. Bertinoro 2010P Y A Ryan Prêt à Voter43

44 OpenVote (Hoa, Ryan, Zielinski) Again Pi broadcasts:  i :=g xi plus ZK proof of knowledge of x i. After all have broadcast each checks the ZK proofs and Pi computes:  i = g yi :=  j=1 i-1  j /  j=i+1 n  j But now i :=  i xi g vi + + ZK proof vi=0  1 with vi=1 for Yes, vi=0 for No. Bertinoro 2010P Y A Ryan Prêt à Voter44

45 OpenVote ZK proof: need to show that vi = 0 or 1 without revealing which. Form the ElGamal encryption of g vi with PK  i =g yi and randomisation xi: z i := (  i, i ) = (g xi, g yi  xi g vi ) Now use the Cramer, Damgård, Schoenmakers technique to prove that z i is an encryption of 1 or g. Bertinoro 2010P Y A Ryan Prêt à Voter45

46 Tabulation All can compute:  j=1 n  i = g  vi  v i is the number of “Yes” votes. Can be extended to handle >2 candidates using trick due to Baudrot et al, using a super-increasing sequence to encode the candidates: 2 0, 2 k, 2 2k,....with 2 k > v, the number of voters. Bertinoro 2010P Y A Ryan Prêt à Voter46

Download ppt "Prêt à Voter A brief (heavily biased) history of verifiable voting Bertinoro 2010P Y A Ryan Prêt à Voter1 Peter Y A Ryan University of Luxembourg."

Similar presentations

Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Votinbox - a voting system based on smart cards Sébastien Canard.

Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Votinbox - a voting system based on smart cards Sébastien Canard.
Secret Ballot Receipts: True Voter Verifiable Elections Author: David Chaum Published: IEEE Security & Privacy Presenter: Adam Anthony.

Secret Ballot Receipts: True Voter Verifiable Elections Author: David Chaum Published: IEEE Security & Privacy Presenter: Adam Anthony.
Pretty Good Democracy James Heather, University of Surrey

Pretty Good Democracy James Heather, University of Surrey
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Talk by Vanessa Teague, University of Melbourne Joint work with Chris Culnane, James Heather & Steve Schneider at University of.

Talk by Vanessa Teague, University of Melbourne Joint work with Chris Culnane, James Heather & Steve Schneider at University of.
Electronic Voting Ronald L. Rivest MIT CSAIL Norway June 14, 2004.

Electronic Voting Ronald L. Rivest MIT CSAIL Norway June 14, 2004.
Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.

Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.
Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)

Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)
ThreeBallot, VAV, and Twin Ronald L. Rivest – MIT CSAIL Warren D. Smith - CRV Talk at EVT’07 (Boston) August 6, 2007 Ballot Box Ballot Mixer Receipt G.

ThreeBallot, VAV, and Twin Ronald L. Rivest – MIT CSAIL Warren D. Smith - CRV Talk at EVT’07 (Boston) August 6, 2007 Ballot Box Ballot Mixer Receipt G.
ETen E-Poll ID – Strasbourg COE meeting 23-24 November, 2006 Slide 1 E-TEN 29332 E-POLL Project Electronic Polling System for Remote Operation Strasbourg.

ETen E-Poll ID – Strasbourg COE meeting November, 2006 Slide 1 E-TEN E-POLL Project Electronic Polling System for Remote Operation Strasbourg.
A technical analysis of the VVSG 2007 Stefan Popoveniuc George Washington University The PunchScan Project.

A technical analysis of the VVSG 2007 Stefan Popoveniuc George Washington University The PunchScan Project.
On the Security of Ballot Receipts in E2E Voting Systems Jeremy Clark, Aleks Essex, and Carlisle Adams Presented by Jeremy Clark.

On the Security of Ballot Receipts in E2E Voting Systems Jeremy Clark, Aleks Essex, and Carlisle Adams Presented by Jeremy Clark.
Cryptographic Voting Protocols: A Systems Perspective Chris Karlof Naveen Sastry David Wagner UC-Berkeley Direct Recording Electronic voting machines (DREs)

Cryptographic Voting Protocols: A Systems Perspective Chris Karlof Naveen Sastry David Wagner UC-Berkeley Direct Recording Electronic voting machines (DREs)
1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.

1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.
By Varun Jain. Introduction  Florida 2000 election fiasco, drew conclusion that paper ballots couldn’t be counted  Computerized voting system, DRE (Direct.

By Varun Jain. Introduction  Florida 2000 election fiasco, drew conclusion that paper ballots couldn’t be counted  Computerized voting system, DRE (Direct.
Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.
Electronic Voting Presented by Ben Riva Based on presentations and papers of: Schoenmakers, Benaloh, Fiat, Adida, Reynolds, Ryan and Chaum.

Electronic Voting Presented by Ben Riva Based on presentations and papers of: Schoenmakers, Benaloh, Fiat, Adida, Reynolds, Ryan and Chaum.
Civitas Verifiability and Coercion Resistance for Remote Voting Virginia Tech NCR September 14, 2012 Michael Clarkson George Washington University with.

Civitas Verifiability and Coercion Resistance for Remote Voting Virginia Tech NCR September 14, 2012 Michael Clarkson George Washington University with.
Self-Enforcing E-Voting (SEEV) Feng Hao Newcastle University, UK CryptoForma’13, Egham.

Self-Enforcing E-Voting (SEEV) Feng Hao Newcastle University, UK CryptoForma’13, Egham.

Similar presentations

Ads by Google