1 / 67

Secure Voting Systems

Secure Voting Systems. CSCI 283-172 Fall 2010 GW. Outline. Current voting technology, limitations Cryptographic approach; paradigm shift “End-to-end” voting systems Electronic E2E voting systems?. Current Technology. In the world’s oldest continuous democracy .

regina
Download Presentation

Secure Voting Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Voting Systems CSCI 283-172 Fall 2010 GW

  2. Outline • Current voting technology, limitations • Cryptographic approach; paradigm shift • “End-to-end” voting systems • Electronic E2E voting systems?

  3. Current Technology

  4. In the world’s oldest continuous democracy • Humboldt County, CA:voting machinesdropped 197 votes – Wired, 12-8-2008 • Florida’s 13th Congressional District (2006): One in seven votes recorded on voting systems was blank – US Government Accountability Office, 2-8-2008 • Franklin County, Ohio: computer error gave Bush 3,893 extra votes in one precinct – WaPo, 11-6-2004 • In a North Carolina County: 4,500 votes were lost –WaPo, 11-6- 2004

  5. Voting Machine Analysis • Kohno et al (2004): Diebold AccuVote-TS DRE* • Voters can cast unlimited votes without detection • Insiders can modify votes and match votes to voters • Felten (2006) • "Hotel Minibar Keys Open Diebold Voting Machines • Bishop, Wagner et al (2007): CA “Top to Bottom Review” • Voter can insert a virus into code • Virus can spread through the state’s election system And so on …. optical scan (Kiayias et al, 2007), Ohio voting machines OS + DRE (McDaniel et al, 2007); NJ DREs (Appel et al, 2009); *DRE: Direct Recording Electronic

  6. More exhaustive testing? • Not possible to test large programs for the absence of errors • Cannot rely only on • software • software testing • How do we know: what was tested = what was used?

  7. Software Independence

  8. Software Independence A voting system is software independent* if an (undetected) change or error in its software cannot cause an undetectable change or error in an election outcome. • ≠ Don’t use software • = Error-free software is not an assumption • Should check the output of software *Rivest and Wack

  9. Shift the Focus Audit the ElectionNot the Equipment Instead of checking • all the software, and • that it will perform several operations correctly every time Determine that only the tally is correct, only this time

  10. Paper Back-Up Voter-Verified Paper Audit Trail (VVPAT) is SI (VVSG) Presidential Primary, San Mateo County, CA, 2008 Election All pictures on this slide: Joseph Lorenzo Hall http://www.flickr.com/photos/joebeone/ Creative Commons 2.0 The views in this presentation are the speaker’s alone and should not be attributed to Hall At least “we” can count paper

  11. Voting Technology: 2008 US Election Paper Ballot (also Puerto Rico) Paper Ballot and Punch Card Mixed Paper Ballot and DREs with VVPAT (also Hawaii and Alaska) DREs with VVPAT Mixed Paper Ballot and DREs with and without VVPAT Mixed Paper Ballot and DREs without VVPAT DREs without VVPAT Mechanical Lever Machines and Accessible Ballot Marking Devices Source: Verified Voting Foundation

  12. no E-VotingPlanning, trials, non-legally binding E-VotingSuccessful legally binding electronic voting with voting machines Successful legally binding internet votingSuccessful legally binding internet and electronic votingStopped electronic voting with voting machines E-Voting.CC (Competence Center for Electronic Voting and Participation) (2009): Map of Electronic Democracy. In: Modern Democracy (2)/1. pp.8-9. URL: http://e-voting.cc/files/e-voting-map-2010

  13. Assumptions(Lowry and Vora, 2010) • Secure Chain of Custody • Of audit trail • Procedures are Followed • Follow procedure, count/recount correctly • Randomness* • Audits include element of randomness not predictable by voting system • Usable/Human-Error-Resistant Auditability* • Auditability (e.g.: VVPATs) aspects easy to use * Assumptions pointed out by John Kelsey

  14. At least “we” can count paper BUT • Everyone cannot use paper • Inefficient • Recall how long it took to declare the final result of the 2008 Minnesota Senate election, 2010 Alaska Senate election • To be fair: may be inherent in the manner in which paper is marked, often difficult to determine voter intent • Potentially inaccurate counts and recounts Problems of integrity remain • “we” = persons with privilege • Still need to secure cast ballots till counting: i.e. maintain secure chain of custody • Need physical presence during counting Can we distribute the burden of a secure chain of custody: can the voter keep a part of the paper trail? Can the tally be counted in a virtually-verifiable manner?

  15. ATM Receipt: Solution? Photo credit: Joseph Lorenzo Hall http://www.flickr.com/photos/joebeone/ Creative Commons 2.0 Anyone can verify tally Complete Transparency! No ballot secrecy } Essential trade-off

  16. Coercible Photo credit: Joseph Lorenzo Hall http://www.flickr.com/photos/joebeone/ Creative Commons 2.0 Evidence used to catch cheating system can also be used to sell vote: voter possesses evidence that can be used to prove how she voted

  17. Cryptographic Voting Systems

  18. Encrypted Paper Trail Lok Sabha Elections 2009 Parliamentary Constituency: Gandhinagar Receipt No: 7151058 X897 1. Voter Casts Encrypted Vote and Takes Copy out of Polling Booth 2. Voter Checks Receipt on Website/Newspaper

  19. First Approach: Mixnet-Based Invention of secure electronic voting Chaum (1981)

  20. Mixnet: Public key encryption/decryption A vote, vj, is encrypted using the public keys of several mixes: Receipt = Epub1(r1, (… Epubn-1(rn-1, ( Epubn(rn, vj) ) ) …) ith mix gets: (Epubi(ri, ... (Epubn(rn, vj)))…) decrypts with private key, discards ri, shuffles

  21. Partial decryption using assymetric-key cryptography Thakor Advani 34W1 5GXT Thakor AC1U NZ2Q Advani HY40 LN04 Thakor 9IK1 S43R Thakor 2LS7 77JH Thakor B8OH MBFD Advani 5TJG AZ9J DEV6 LOQ1 On public website: anyone can compute tally 3. Votes are decrypted and shuffled

  22. 4. Tally Audit • Public audit, using public information • information not restricted to persons of privilege • Efficient tally audits that are not zero-knowledge • Jakobsson, Juels, Rivest (2002) • Chaum (2004) • Less efficient ZK audits • Sako and Kilian (1995) • Voting protocols can protect • tally integrity or vote secrecy (but not both) • against an adversary who can break the cryptography

  23. 34W1 5GXT Thakor AC1U NZ2Q Advani HY40 LN04 Thakor 9IK1 S43R Advani 2LS7 77JH Thakor B8OH MBFD Thakor 5TJG AZ9J Thakor DEV6 LOQ1 Advani For Example: Tally Audit (Not ZK)Jakobsson, Juels, Rivest (2002) Chosen mix reveals ri and the corresponding input/output; anyone can check correspondence using public key * * * * * * * * On public website: anyone can check opened commitments

  24. Second Approach: Homomorphic Encryption First proposed by Cohen (now Benaloh) and Fischer (1985)

  25. Homomorphic VotingBaudron et al (2001) Simple Example: two candidates Paillier public-key system: public g, N m encrypted as gm rN mod N2 ith voter encrypts vote: vi =0 or vi =1 as gviriN mod N2 Voter provides zero-knowledge proof that he has cast a vote for one of “1” or “0” • And not for “3”, or “1000” or “-100” etc

  26. Homomorphic Tallying • Voting system multiplies all encryptions to obtain gvi(ri)N mod N2 • Decrypts with private key to obtain vi mod N • And reveals (ri)N • vi is number of votes for “1” • Decryption correctness can be verified by anyone using public key

  27. The story so far (in 2002) … • Very interesting theoretical results Chaum (1981), Cohen (now Benaloh) and Fischer (1985), Benaloh and Tuinstra (1994), Sako and Kilian (1995), • Relevant: zero-knowledge proofs and interactive/non-interactive proofs (e.g. Goldwasser-Micali-Rackoff (1985) ) • Efficient algorithms for secure multi-party computation • BUT: these assume voters are probabilistic-polynomial-time Turing machines • Voters can encrypt in their heads • Voters have access to trusted machines for encrypting votes • Encryption on trusted machines • Cannot use in polling booth • Cannot use to vote from home: • Home PCs can have viruses • Adversary can threaten or bribe voter

  28. Trusted encryption without trusted encryption device?

  29. End-to-end-independently-verifiable (E2E) Voting SystemsChaum (2003-4), Neff (2004) • Voters need not trust encryption device (all following have prototypes): • Paper Ballots • Prêt à Voter (Ryan et al, 2005, Univ. of Surrey, Newcastle Univ., UK) • Punchscan (2006, Chaum, GW, UMBC, UOttawa) • First voter-verifiable binding election (grad student election at Univ. Ottawa, 2008) • Grand prize winner, International Voting System Competition VoComp, 2008 • Voting Ducks (Wroclaw Univ. of Technology, Poland) • Electronic Ballots • Simple Verifiable Voting (Benaloh, 2006) • VoteBox (Sandler and Wallach, Rice Univ., 2008) • Helios (remote voting system, Adida, MIT/Harvard, 2008) • Recteur, Catholique Universite, Louvaine, Belgium (2009) • Princeton Undergraduate student government (2009) • Rijnland Internet Election System (RIES, remote voting system) • Netherlands governmental elections (2004, 2006) • coercible

  30. Use notion of commitment Alice commits to a value x by giving to Bob a value y such that: • Bob does not know x and • cannot determine it from y. At a later time Alice can open the commitment by revealing the value x and some r, such that: Bob will know she hasn’t changed x since she committed to it by checking a relationship between x, r and y Example: y = Epub(x || r)

  31. General E2E Protocol Before election: • System commits to any parameters, and makes public keys etc Voting (interactive): • Voter commits to whether he will audit or cast this vote • Voter provides vote • System provides encryption • If audit • Check encryption; Go to 1 Else • Cast encrypted vote After election: • System posts encrypted votes; voters check • System provides tally and encrypted audit trail • Tally audit (interactive)

  32. E2E Paper Ballot Systems • Ballots cleverly designed: • voter encrypts vote by marking special paper ballot • voter and voting system in an interactive protocol on a write-once tape: • Some use a commitment-based back-end that uses more efficient symmetric-key encryption

  33. Example “Front (Encryption) Ends” of Paper-Ballot Systems

  34. General Description  = (V, R, K, E, D) f: S  K r = (s, x, E(f(s), v) ) r: receipt s: serial number x: decryption information, commitments f(s): key v: vote Given s and k, should be able to check that f(s)=k

  35. Chaum (2004): Visual CryptographyFirst complete technical description, Vora (2004)First non-commercial implementation of a voter-verifiable system: Hosp et al (2004) Ballot consists of two layers. Voter takes one home. It should reveal nothing about his vote Pictures from Stefan Popoveniuc, PhD Dissertation, GW, 2009

  36. Details • Receipt = (sa, xa, vka) • xa: decryption information, commitments • ka = F(Sign(s, pa)) is key for chosen layer a pa is private key for layer a F is PRNG • Receipts (sa, xa, vka), (sā, xā, vkā) • Voter checks that: sa = sā v=rarā ra is the set of pixels on the receipt, and includes vka and kā • Symmetric proofreceipt

  37. Punchscan (Chaum, 2005) GW: Implementation (2006) • First voter-verifiable binding election (grad student election at Univ. Ottawa, 2008: UOttawa, UMBC, GW) • Grand prize winner, International Voting System Competition VoComp, 2008 Picture from Stefan Popoveniuc, PhD Dissertation, GW, 2009

  38. Receipt • f(s) = a ā • No additional decryption information • Symmetric

  39. Scantegrity II (2008) UMBC, GW, MIT, Waterloo, UOttawa Photo by Alex Rivest

  40. Receipt • f(s) = an AES encryption key • No decryption

  41. Example: Prêt à Voter Encryption Ryan et al, 2005 1. System encrypts vote 2. Voters can choose to audit the encryption or cast it 3. Audit ballot by opening onion 4. Vote should decrypt to one for Buddhist Pseudo-random Candidate Ordering X “Onion” Ballot Receipt Picture from Stefan Popoveniuc, PhD Dissertation, GW, 2009

  42. Example: Prêt à Voter Tallying Ryan et al, 2005 • Permutation is composition of several permutations, one for each mix • Onion contains seeds for each permutation, encrypted as a mixnet message • Mixes each: • decrypt onion • undo permutation • pass on rest of onion Pseudo-random Candidate Ordering “Onion” Ballot Receipt Picture from Stefan Popoveniuc, PhD Dissertation, GW, 2009

  43. Example: Commitment-Based Back-EndPart of Punchscan system, Chaum et al (2004) • Punchscan has a different front-end • explanation on PaV front-end for simplicity • Retain composition of permutations • Instead of onion, a serial number • Instead of mix, set of commitments to: • permutations • position in the shuffle • More efficient than public-key decryption Pseudo-random Candidate Ordering “Onion” Ballot Picture from Stefan Popoveniuc, PhD Dissertation, GW, 2009

  44. Properties Not many rigorous definitions Most apply to single voting systems

  45. Desirable Property I: Auditability A voting system is auditable if it provides evidence about an election, to*voters and the general public  that can be used to determine the correctnessof the election outcome. Evidence provided to: Voters:Voter-auditable Public:Publicly-auditable VVPAT records voter-auditable. Publicly-auditable if recounts are performed in public. * First recommended to us by Stefan Popoveniuc

  46. Desirable Property IIBallot Secrecy  Incoercibility A voting system is incoercible if additional information provided by the voting system (and the procedures/process for using it), combined with any evidence provided by the voter, does not improve an adversary’s guess on how the voter voted. • Ballot secrecy in spite of cooperation between adversary and voter

  47. End-to-End Independently-VerifiableLowry and Vora (2009) A voting system is end-to-end independently-verifiable if an independent, honest observer can determine— with virtual certainty—whether a declared election outcome correctly represents the votes cast by voters. To the extent that the observer is required to trust: • entities, software or hardware, he or she should be able to choose said entities, software or hardware • procedures*: these should be limited to those for vote casting, and be publicly observable • (rationale: voter can complain if procedures not followed for her own vote) *Andy Regenscheid noticed that procedures need to be mentioned

  48. Voter-Verifiable A process is voter-verifiable if an honest voter can determine—with virtual certainty—whether the process was correctly carried out. To the extent that the voter is required to trust: • entities, software or hardware, he or she should be able to choose said entities, software or hardware • procedures: these should be limited to those for vote casting, and be publicly observable

  49. Universally-Verifiable A process is universally-verifiable if an honest observer can determine—with virtual certainty—whether the process was correctly carried out. To the extent that the observer is required to trust: • entities, software or hardware, he or she should be able to choose said entities, software or hardware • procedures: these should be limited to those for vote casting, and be publicly observable

  50. Honest Observer’s Point of View Independent honest observer notes that: • Ballot-casting is voter-verifiable • Voters verifysome information about votes that comes out of voting process • Tally-processing is universally-verifiable • Voting system computes tallyfrom this information in a universally-auditable manner • Then is virtually convinced that the election outcome is correct

More Related