Cast, but verify

Cast, but verify Can voters check that their e-vote is cast as they intended and properly included in an accurate count? Vanessa Teague University of Melbourne vjteague@unimelb.edu.au CIS department seminar, March ’14

Why verifiable voting?What’s wrong with this picture? Election outcome PCs Encrypted votes Voters RSA RSA Electoral Commission server with decryption key RSA

The challenge • Vote privacy is relatively easy • Using standard crypto and a completely trusted decryption & counting system • Verifiability is relatively easy • If you don’t care about privacy: just make all the votes public • The challenge is to do both: • verifiably accurate results that preserve privacy

Electronic election verification • Each voter can check that their vote matches their intention • Even if the computer they’re using is compromised • Everyone can check that the votes were properly handled after casting • Not in this talk • Details about privacy • Verifying the counting software • e.g. Rajeev Goré’s work on EVACS. • Other important requirements • Usability, robustness, security from outside attack,

Outline • On the Internet • NSW (Everyone Counts) • Norway (Gjøsteen, Scytl) • Helios (Adida, de Marneffe, Pereira et al.) • In the polling place • VEC verifiable system based on prêt à voter • Electronic ballot markers (WA, Tas, proposed NSW)

iVote (NSW) 2011 Verif1 Verif1 Verif2 Verif2 Verif3 Voters log in again later to query the system and see if they get the right “verification” number back Verif3

iVote 2015 • A new version is proposed for 2015 NSW state election • Voter sends vote to server using plain SSL/TLS again • Each voter checks their vote (unencrypted) with an “auditor” • But don’t worry, the auditor can’t possibly tell who you are just by looking at your IP address • Auditor promises to check that they all go properly into the count • See draft design at http://www.elections.nsw.gov.au/__data/assets/pdf_file/0003/125454/iVote_Strategy_for_SGE_2015_amd_1.pdf

iVote (proposed NSW) 2015 Electoral Commission TLS TLS Auditor Plaintext vote check with auditor

Norway • A partially-verifiable Internet voting scheme • Used in recent Norwegian local & parliamentary elections • Openly-available source code with public docs & papers • Uses Norwegian government electronic ID scheme • Implemented by Scytl

Red Green Chequered Fuzzy Cross Example 3: Norway 3492 • Each voter gets a “code sheet” by snail mail • Everyone’s code sheet is different • Voter’s PC encrypts party name, sends to server • Authorities SMS party code to voter’s mobile phone • Corrupt PC can’t lie about your vote undetectably • Unless it learns the codes 3513 8934 3489 0114 9253 Yellow

Norway • An admirable process • Public consultation, open source code, academic review, honesty about problems • Still some gaps in the protocol • But at least they know what they are • And some bugs in the implementation • But there’s a process for finding and fixing them • The open process allows for a scientific discussion based on facts & careful analysis

Helios • An “end-to-end verifiable” Internet voting scheme • By Adida, de Marneffe, Pereira • Source code and docs at heliosvoting.org • Used by the IACR in their board elections • Each voter can verify that their vote is • cast as they intended • Properly included in the count • Anyone can verify that all the included votes are properly decrypted and tallied

One-page reminder about public key crypto • The receiver generates two keys: • a public key e (for encrypting), and • a private key d (for decrypting) • She publicises the public key e • People use this for encrypting messages • They also include some randomness r • Ciphertext • C = Ence(msg, r) • She keeps the private key d secret • She uses this for decrypting messages

Helios: cast-as-intended verification • You don’t trust your PC to encrypt the right thing • You do trust your PC for privacy • Ask your PC to produce lots of (different) encrypted votes • It doesn’t know which one you’re going to use • Photograph them, print them, or send them to other devices • Ask your PC to ‘open’ all but one of them • i.e. to tell you the randomness r it used for encrypting • Get the other devices to check the encryption was right • They just recompute Ence(msg, r) • Cast the one you didn’t open • So your privacy is preserved

So why not use Helios for Aus government elections? • Difficulty of cast-as-intended protocol • Voters need to understand it to get it right • Extension to STV ballots with 97 people • Computational scalability

Internet Voting: summary • There is no end-to-end verifiable Internet voting scheme that’s • Usable for ordinary voters • Adaptable to Australian-style preferential elections • And we haven’t even talked about • Authenticating the voters • Preserving privacy

Outline • On the Internet • NSW (Everyone Counts) • Norway (Gjøsteen, Scytl) • Helios (Adida, de Marneffe, Pereira et al.) • In the polling place • Vic verifiable system based on prêt à voter • Voting • Checking from home that your vote is there • Verifying shuffling and decryption • Privacy • Electronic ballot markers (WA, Tas, proposed NSW)

The Victorian Electoral Commission’s polling-place voting system • I’ve done a lot of work on this project • But am not representing the VEC’s official position in any way • Based on the prêt à voter end-to-end verifiable voting scheme (Ryan, Schneider, Chaum) • Implemented by a team at U Surrey (Culnane, Heather, Schneider) • With some help from the VEC (Burton) • This scheme is end-to-end verifiable • Except that the point its output is joined in with the rest of the ballots is observable only by scrutineers

Victoria polling-place 2014 cont’d • Each voter gets a human-readable printout to check • The printout is transformed into an encrypted receipt • The voter gets evidence that this is the vote they intended • Without being able to prove to others how they voted • Voter takes their encrypted receipt home • checks that it’s in the accepted list • The accepted list is shuffled & decrypted with a mathematical proof of correctness • Which anyone can check • Source code at https://bitbucket.org/vvote

Prêt à Voter • Uses pre-prepared paper ballot forms that encode the vote in familiar form. • The candidate list is randomised for each ballot form. • Information defining the candidate list is encrypted in an “onion” value printed on each ballot form. • Actually, we print a serial number that points to the encrypted values in a public table

Ballot auditing • Each voter can challenge as many ballots as they like • And get a proof that the onion matches the candidate list • Then don’t use that ballot • Then vote on an unchallenged one • So you can’t prove how you voted

Voting • Fill in the boxes as usual • Use a computer to help • Check its printout • Against candidate list • Shred candidate list • Computer uploads vote • Same info as on printout • Take printout home • It doesn’t reveal the vote 5 1 3 2 4

Checking from home that your vote is there • There’s a public website listing all the receipts • More precisely, there’s a “bulletin board” which is a public website augmented with some evidence that everyone sees the same data • Find yours

Verifying shuffling and decryption • Now we have a list of encrypted votes • On a public website • Encrypted, and linked to voter’s identities • Because each voter still holds their receipt • We want to • Shuffle the votes • To break the link with voter ID • Decrypt the votes • Prove that this was done correctly

What’s public-key cryptography? • The receiver generates two keys: • a public key e (for encrypting), and • a private key d (for decrypting) • She publicises the public key e • People use this for encrypting messages • They also include some randomness • She keeps the private key d secret • She uses this for decrypting messages

Picture of public-key cryptography Receiver Sender RSA RSA

Re-randomising encryption • Without knowing the secret key, re-do the randomness used in the encryption • The message stays the same • But the new encryption can’t be linked to the old one

Randomised partial checking • By Jakobsson, Juels & Rivest • Significant improvements by Wikström • We can’t (completely) prevent a hacker from breaking in to all the computers and changing the votes, but • We can check the process thoroughly enough to be confident that • If the checks succeed then • The system produced the right output • With very high probability

Randomised partial checking • A pair of mix servers shuffle and rerandomise • Choose randomly to prove the link to start or end

Provable decryption step • Trust me, this can be done • Using chaum-pedersen proofs of dlog equality • Showing proper decryption of El Gamalciphertext given El Gamal public key

Privacy • Whenever you have a computer helping you fill in your vote, that computer is a privacy risk • So is the ballot printer • There are some clever schemes for verifiable voting that don’t tell your computer how you voted • e.g. the “plain” version of prêt à voter in which you fill in the ballot with a pencil • But none of them work with 30-candidate STV • This scheme does about the best I can imagine at preserving privacy while providing a usable 30-candidate STV vote

Summary • This provides a rigorous after-the-fact argument that the answer was right (with high probability) • To the court we’d say • We worked really hard to make sure the software was correct • We worked really hard to make the computers secure • But even if these were not perfect: • The voters & the public could check the integrity of the data directly • And the scrutineers can reconcile that with the rest of the count • And would have detected a manipulation with high probability

Feedback • If you’d like to write your own proof checker, verifier, signature checker, etc, for vVote, please come and talk to me, • If you think you’ve found a bug, please come and talk to me, • If you read the supporting materials and you think you’ve found a bug, please come and talk to me.

Outline • On the Internet • Helios (Adida, de Marneffe, Pereira et al.) • NSW (Everyone Counts) • Norway (Gjøsteen, Scytl) • In the polling place • VEC verifiable system based on prêt à voter • Electronic ballot markers (WA, Tas, proposed NSW)

A human-readable paper record • So the voter can check directly that their vote is cast as they intended • Electronic ballot marker • Vote on a computer, print your vote, put it in a ballot box • In use in WA & Tas, proposed in NSW • Good for voters who need assistance and also for validity checking for everyone

Conclusion • Verifiable Internet voting is an unsolved problem • Verifiable polling-place voting has several sensible solutions • But there are important details in extending them to Australian voting

So what happens now? • The AEC recently produced a discussion paper on Internet voting • http://www.eca.gov.au/media/18-09-13.htm • "7.8 As noted in Part 1, the extent to which it can be guaranteed that votes cast on the internet will not be susceptible to interference of one form or another has been a matter of vigorous dispute. This paper takes no stand on that issue,...""7.17 The need for new transparency mechanisms to replace those associated with the paper ballot remains a matter of fundamental importance, and one which will rise in significance in direct proportion to the number of people actually using internet voting. Elaboration of such mechanisms is beyond the scope of this paper."

Cast, but verify

Cast, but verify

Presentation Transcript

Quality of Business: Trust but Verify

CAST

CAST

Cast Down but Unconquered

CAST

Cast on, Cast Off!

Trust But Verify 7110.65

“Trust, but Verify”

cast

Joseph Stith Trust But Verify

Verify max

CAST

Fostering Academic Integrity by Moving past Penalties - Trust, but Verify

E-Verify

cast

E-Verify

Verify Funds

“Trust, but Verify”

Verify

[PDF READ ONLINE] In Praise of Skepticism: Trust but Verify