secure voting systems n.
Skip this Video
Loading SlideShow in 5 Seconds..
Secure Voting Systems PowerPoint Presentation
Download Presentation
Secure Voting Systems

Loading in 2 Seconds...

play fullscreen
1 / 67

Secure Voting Systems - PowerPoint PPT Presentation

  • Uploaded on

Secure Voting Systems. CSCI 283-172 Fall 2010 GW. Outline. Current voting technology, limitations Cryptographic approach; paradigm shift “End-to-end” voting systems Electronic E2E voting systems?. Current Technology. In the world’s oldest continuous democracy .

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Secure Voting Systems' - regina

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
secure voting systems

Secure Voting Systems

CSCI 283-172 Fall 2010


  • Current voting technology, limitations
  • Cryptographic approach; paradigm shift
  • “End-to-end” voting systems
  • Electronic E2E voting systems?
in the world s oldest continuous democracy
In the world’s oldest continuous democracy
  • Humboldt County, CA:voting machinesdropped 197 votes – Wired, 12-8-2008
  • Florida’s 13th Congressional District (2006): One in seven votes recorded on voting systems was blank – US Government Accountability Office, 2-8-2008
  • Franklin County, Ohio: computer error gave Bush 3,893 extra votes in one precinct – WaPo, 11-6-2004
  • In a North Carolina County: 4,500 votes were lost –WaPo, 11-6- 2004
voting machine analysis
Voting Machine Analysis
  • Kohno et al (2004): Diebold AccuVote-TS DRE*
    • Voters can cast unlimited votes without detection
    • Insiders can modify votes and match votes to voters
  • Felten (2006)
    • "Hotel Minibar Keys Open Diebold Voting Machines
  • Bishop, Wagner et al (2007): CA “Top to Bottom Review”
    • Voter can insert a virus into code
    • Virus can spread through the state’s election system

And so on ….

optical scan (Kiayias et al, 2007), Ohio voting machines OS + DRE (McDaniel et al, 2007); NJ DREs (Appel et al, 2009);

*DRE: Direct Recording Electronic

more exhaustive testing
More exhaustive testing?
  • Not possible to test large programs for the absence of errors
    • Cannot rely only on
      • software
      • software testing
  • How do we know:

what was tested = what was used?

software independence1
Software Independence

A voting system is software independent* if an (undetected) change or error in its software cannot cause an undetectable change or error in an election outcome.

  • ≠ Don’t use software
  • = Error-free software is not an assumption
  • Should check the output of software

*Rivest and Wack

shift the focus
Shift the Focus

Audit the ElectionNot the Equipment

Instead of checking

  • all the software, and
  • that it will perform several operations correctly every time

Determine that only the tally is correct, only this time

paper back up voter verified paper audit trail vvpat is si vvsg
Paper Back-Up Voter-Verified Paper Audit Trail (VVPAT) is SI (VVSG)

Presidential Primary, San Mateo County, CA, 2008 Election

All pictures on this slide: Joseph Lorenzo Hall

Creative Commons 2.0

The views in this presentation are the speaker’s alone and should not be attributed to Hall

At least “we” can count paper

voting technology 2008 us election
Voting Technology: 2008 US Election

Paper Ballot (also Puerto Rico)

Paper Ballot and Punch Card

Mixed Paper Ballot and DREs with VVPAT (also Hawaii and Alaska)


Mixed Paper Ballot and DREs with and without VVPAT

Mixed Paper Ballot and DREs without VVPAT

DREs without VVPAT

Mechanical Lever Machines and Accessible Ballot Marking Devices

Source: Verified Voting Foundation


no E-VotingPlanning, trials, non-legally binding E-VotingSuccessful legally binding electronic voting with voting machines Successful legally binding internet votingSuccessful legally binding internet and electronic votingStopped electronic voting with voting machines

E-Voting.CC (Competence Center for Electronic Voting and Participation) (2009): Map of Electronic Democracy. In: Modern Democracy (2)/1. pp.8-9. URL:

assumptions lowry and vora 2010
Assumptions(Lowry and Vora, 2010)
  • Secure Chain of Custody
    • Of audit trail
  • Procedures are Followed
    • Follow procedure, count/recount correctly
  • Randomness*
    • Audits include element of randomness not predictable by voting system
  • Usable/Human-Error-Resistant Auditability*
    • Auditability (e.g.: VVPATs) aspects easy to use

* Assumptions pointed out by John Kelsey

at least we can count paper
At least “we” can count paper


  • Everyone cannot use paper
  • Inefficient
    • Recall how long it took to declare the final result of the 2008 Minnesota Senate election, 2010 Alaska Senate election
      • To be fair: may be inherent in the manner in which paper is marked, often difficult to determine voter intent
  • Potentially inaccurate counts and recounts

Problems of integrity remain

  • “we” = persons with privilege
  • Still need to secure cast ballots till counting: i.e. maintain secure chain of custody
  • Need physical presence during counting

Can we distribute the burden of a secure chain of custody: can the voter keep a part of the paper trail?

Can the tally be counted in a virtually-verifiable manner?


ATM Receipt: Solution?

Photo credit: Joseph Lorenzo Hall Creative Commons 2.0

Anyone can verify tally

Complete Transparency!

No ballot secrecy


Essential trade-off



Photo credit: Joseph Lorenzo Hall Creative Commons 2.0

Evidence used to catch cheating system can also be used to sell vote: voter possesses evidence that can be used to prove how she voted


Encrypted Paper Trail

Lok Sabha Elections 2009

Parliamentary Constituency: Gandhinagar

Receipt No: 7151058


1. Voter Casts Encrypted Vote and Takes Copy out of Polling Booth

2. Voter Checks Receipt on Website/Newspaper

first approach mixnet based

First Approach: Mixnet-Based

Invention of secure electronic voting

Chaum (1981)

mixnet public key encryption decryption
Mixnet: Public key encryption/decryption

A vote, vj, is encrypted using the public keys of several mixes:

Receipt =

Epub1(r1, (…

Epubn-1(rn-1, (

Epubn(rn, vj)

) )


ith mix gets: (Epubi(ri, ... (Epubn(rn, vj)))…)

decrypts with private key, discards ri, shuffles

3 votes are decrypted and shuffled

Partial decryption using assymetric-key cryptography

























On public website: anyone can compute tally

3. Votes are decrypted and shuffled
4 tally audit
4. Tally Audit
  • Public audit, using public information
    • information not restricted to persons of privilege
  • Efficient tally audits that are not zero-knowledge
    • Jakobsson, Juels, Rivest (2002)
    • Chaum (2004)
  • Less efficient ZK audits
    • Sako and Kilian (1995)
  • Voting protocols can protect
    • tally integrity or vote secrecy (but not both)
    • against an adversary who can break the cryptography
for example tally audit not zk jakobsson juels rivest 2002

























For Example: Tally Audit (Not ZK)Jakobsson, Juels, Rivest (2002)

Chosen mix reveals ri and the corresponding input/output;

anyone can check correspondence using public key









On public website: anyone can check opened commitments

second approach homomorphic encryption

Second Approach: Homomorphic Encryption

First proposed by

Cohen (now Benaloh) and Fischer (1985)

homomorphic voting baudron et al 2001
Homomorphic VotingBaudron et al (2001)

Simple Example: two candidates

Paillier public-key system:

public g, N

m encrypted as gm rN mod N2

ith voter encrypts vote: vi =0 or vi =1 as

gviriN mod N2

Voter provides zero-knowledge proof that he has cast a vote for one of “1” or “0”

  • And not for “3”, or “1000” or “-100” etc
homomorphic tallying
Homomorphic Tallying
  • Voting system multiplies all encryptions to obtain

gvi(ri)N mod N2

  • Decrypts with private key to obtain

vi mod N

    • And reveals (ri)N
  • vi is number of votes for “1”
  • Decryption correctness can be verified by anyone using public key
the story so far in 2002
The story so far (in 2002) …
  • Very interesting theoretical results

Chaum (1981), Cohen (now Benaloh) and Fischer (1985), Benaloh and Tuinstra (1994), Sako and Kilian (1995),

    • Relevant: zero-knowledge proofs and interactive/non-interactive proofs (e.g. Goldwasser-Micali-Rackoff (1985) )
    • Efficient algorithms for secure multi-party computation
  • BUT: these assume voters are probabilistic-polynomial-time Turing machines
    • Voters can encrypt in their heads
    • Voters have access to trusted machines for encrypting votes
  • Encryption on trusted machines
    • Cannot use in polling booth
    • Cannot use to vote from home:
      • Home PCs can have viruses
      • Adversary can threaten or bribe voter
end to end independently verifiable e2e voting systems chaum 2003 4 neff 2004
End-to-end-independently-verifiable (E2E) Voting SystemsChaum (2003-4), Neff (2004)
  • Voters need not trust encryption device (all following have prototypes):
  • Paper Ballots
    • Prêt à Voter (Ryan et al, 2005, Univ. of Surrey, Newcastle Univ., UK)
    • Punchscan (2006, Chaum, GW, UMBC, UOttawa)
      • First voter-verifiable binding election (grad student election at Univ. Ottawa, 2008)
      • Grand prize winner, International Voting System Competition VoComp, 2008
    • Voting Ducks (Wroclaw Univ. of Technology, Poland)
  • Electronic Ballots
    • Simple Verifiable Voting (Benaloh, 2006)
    • VoteBox (Sandler and Wallach, Rice Univ., 2008)
    • Helios (remote voting system, Adida, MIT/Harvard, 2008)
      • Recteur, Catholique Universite, Louvaine, Belgium (2009)
      • Princeton Undergraduate student government (2009)
  • Rijnland Internet Election System (RIES, remote voting system)
    • Netherlands governmental elections (2004, 2006)
    • coercible
use notion of commitment
Use notion of commitment

Alice commits to a value x

by giving to Bob a value y such that:

  • Bob does not know x and
  • cannot determine it from y.

At a later time

Alice can open the commitment

by revealing the value x and some r, such that:

Bob will know she hasn’t changed x since she committed to it

by checking a relationship between x, r and y

Example: y = Epub(x || r)

general e2e protocol
General E2E Protocol

Before election:

  • System commits to any parameters, and makes public keys etc

Voting (interactive):

  • Voter commits to whether he will audit or cast this vote
  • Voter provides vote
  • System provides encryption
  • If audit
    • Check encryption; Go to 1


    • Cast encrypted vote

After election:

  • System posts encrypted votes; voters check
  • System provides tally and encrypted audit trail
  • Tally audit (interactive)
e2e paper ballot systems
E2E Paper Ballot Systems
  • Ballots cleverly designed:
    • voter encrypts vote by marking special paper ballot
    • voter and voting system in an interactive protocol on a write-once tape:
  • Some use a commitment-based back-end that uses more efficient symmetric-key encryption
general description
General Description

 = (V, R, K, E, D)

f: S  K

r = (s, x, E(f(s), v) )

r: receipt

s: serial number

x: decryption information, commitments

f(s): key

v: vote

Given s and k, should be able to check that f(s)=k


Chaum (2004): Visual CryptographyFirst complete technical description, Vora (2004)First non-commercial implementation of a voter-verifiable system: Hosp et al (2004)

Ballot consists of two layers.

Voter takes one home.

It should reveal nothing about his vote

Pictures from Stefan Popoveniuc, PhD Dissertation, GW, 2009

  • Receipt = (sa, xa, vka)
  • xa: decryption information, commitments
  • ka = F(Sign(s, pa))

is key for chosen layer a

pa is private key for layer a


  • Receipts (sa, xa, vka), (sā, xā, vkā)
  • Voter checks that: sa = sā v=rarā

ra is the set of pixels on the receipt, and includes vka and kā

  • Symmetric proofreceipt
punchscan chaum 2005 gw implementation 2006
Punchscan (Chaum, 2005) GW: Implementation (2006)
  • First voter-verifiable binding election (grad student election at Univ. Ottawa, 2008: UOttawa, UMBC, GW)
  • Grand prize winner, International Voting System Competition VoComp, 2008

Picture from Stefan Popoveniuc, PhD Dissertation, GW, 2009

  • f(s) = a ā
  • No additional decryption information
  • Symmetric

Scantegrity II (2008)

UMBC, GW, MIT, Waterloo, UOttawa

Photo by Alex Rivest

  • f(s) = an AES encryption key
  • No decryption
example pr t voter encryption ryan et al 2005
Example: Prêt à Voter Encryption Ryan et al, 2005

1. System encrypts vote

2. Voters can choose to audit the encryption or cast it

3. Audit ballot by opening onion

4. Vote should decrypt to one for Buddhist

Pseudo-random Candidate Ordering





Picture from Stefan Popoveniuc, PhD Dissertation, GW, 2009

example pr t voter tallying ryan et al 2005
Example: Prêt à Voter Tallying Ryan et al, 2005
  • Permutation is composition of several permutations, one for each mix
  • Onion contains seeds for each permutation, encrypted as a mixnet message
  • Mixes each:
  • decrypt onion
  • undo permutation
  • pass on rest of onion

Pseudo-random Candidate Ordering




Picture from Stefan Popoveniuc, PhD Dissertation, GW, 2009

example commitment based back end part of punchscan system chaum et al 2004
Example: Commitment-Based Back-EndPart of Punchscan system, Chaum et al (2004)
  • Punchscan has a different front-end
  • explanation on PaV front-end for simplicity
  • Retain composition of permutations
  • Instead of onion, a serial number
  • Instead of mix, set of commitments to:
  • permutations
  • position in the shuffle
  • More efficient than public-key decryption

Pseudo-random Candidate Ordering



Picture from Stefan Popoveniuc, PhD Dissertation, GW, 2009



Not many rigorous definitions

Most apply to single voting systems

desirable property i auditability
Desirable Property I: Auditability

A voting system is auditable if it provides evidence about an election, to*voters and the general public  that can be used to determine the correctnessof the election outcome.

Evidence provided to:



VVPAT records voter-auditable. Publicly-auditable if recounts are performed in public.

* First recommended to us by Stefan Popoveniuc

desirable property ii ballot secrecy incoercibility
Desirable Property IIBallot Secrecy  Incoercibility

A voting system is incoercible if additional information provided by the voting system (and the procedures/process for using it), combined with any evidence provided by the voter, does not improve an adversary’s guess on how the voter voted.

  • Ballot secrecy in spite of cooperation between adversary and voter
end to end independently verifiable lowry and vora 2009
End-to-End Independently-VerifiableLowry and Vora (2009)

A voting system is end-to-end independently-verifiable if an independent, honest observer can determine— with virtual certainty—whether a declared election outcome correctly represents the votes cast by voters.

To the extent that the observer is required to trust:

  • entities, software or hardware, he or she should be able to choose said entities, software or hardware
  • procedures*: these should be limited to those for vote casting, and be publicly observable
    • (rationale: voter can complain if procedures not followed for her own vote)

*Andy Regenscheid noticed that procedures need to be mentioned

voter verifiable

A process is voter-verifiable if an honest voter can determine—with virtual certainty—whether the process was correctly carried out.

To the extent that the voter is required to trust:

  • entities, software or hardware, he or she should be able to choose said entities, software or hardware
  • procedures: these should be limited to those for vote casting, and be publicly observable
universally verifiable

A process is universally-verifiable if an honest observer can determine—with virtual certainty—whether the process was correctly carried out.

To the extent that the observer is required to trust:

  • entities, software or hardware, he or she should be able to choose said entities, software or hardware
  • procedures: these should be limited to those for vote casting, and be publicly observable
honest observer s point of view
Honest Observer’s Point of View

Independent honest observer notes that:

  • Ballot-casting is voter-verifiable
    • Voters verifysome information about votes that comes out of voting process
  • Tally-processing is universally-verifiable
    • Voting system computes tallyfrom this information in a universally-auditable manner
  • Then is virtually convinced that the election outcome is correct
scantegrity ii takoma park municipal election 2009 scantegrity ii front end punchscan back end

Scantegrity IITakoma Park Municipal Election: 2009Scantegrity II front end + Punchscan back-end

UMBC, GW, MIT, Waterloo, UOttawa

first fully voter verifiable secret ballot governmental election
First fully-voter-verifiable secret-ballot governmental election
  • November 3, 2009: Takoma Park, MD
  • Mayor + 6 Council Members
  • 1728 votes cast (10,934 registered voters)
  • Candidates were ranked by voters (instant runoff voting)
  • Unique:
    • Public audit of tally
    • Open-source
    • Fully-verifiable by voters

Scantegrity II (2008)

UMBC, GW, MIT, Waterloo, UOttawa

Photo by Alex Rivest

website verification
Website Verification
  • Immediately after election (10-11 pm)
    • Scantegrity count announced
    • Codes made available online
  • 81 unique ballot verifications, 64 before Takoma Park complaint deadline (Nov. 6)
  • One complaint
    • Codes not clear enough for one voter
    • Voter noted “0”
    • Scantegrity website said “8”
    • Voter trusted Scantegrity code was correct
    • Audit check later revealed Scantegrity code was correct
audits closed manual vote count
Audits: (Closed) Manual Vote Count
  • November 5, afternoon
  • Jointly by Scantegrity and Takoma Park
  • Corroborated Scantegrity total
  • Few differences, due to difference between:
    • machine reading (by scanner) and
    • human determination of voter intent
  • Election certified at 7 pm.
    • by Chair, Board of Elections, to City Council
audits encryption audit
Audits: Encryption Audit

Lillie Coney*

Audited ballots through the day

Chose about 50 ballots at random

Exposed all confirmation codes

Took home copies of marked ballots

Checked them against commitments when opened after election

With familiarity, voters, including candidate representatives, can do this too

  • * Associate Director, Electronic Privacy Information Center and
    • Public Policy Coordinator for the National Committee for Voting Integrity (NCVI)
audits digital audit trail
Audits: Digital Audit Trail

Dr. Ben Adida* and Dr. Filip Zagórski+

  • Audited the entire digital audit trail and independently confirmed tally correctness
  • Provided their own copy of confirmation codes for voter check
  • Pointed out discrepancies in documentation

* Helios and Center for Research on Computation and Society, Harvard University

+Institute of Mathematics and Computer Science, Wroclaw University of Technology, Poland

universally verifiable1
Universally Verifiable

Anyone can perform the audits performed by Adida and Zagórski

  • BoE Chair expects other voters will, using software provided by Adida and Zagórski
  • Voters can write their own software, using Scantegrity public spec
  • Bulletin Board (website) needs to be secure
    • Ensure that it doesn’t present one code to voters, another to auditors
    • Adida and Zagórski made copies, requested voters to check
    • All information on website signed, but voters need to check signatures
  • The cryptographic protocol does not prevent ballot stuffing, we had to use procedures
  • Paper ballots are inaccessible to those with motor and visual disabilities
electronic audit
Electronic Audit
  • Voter: “Vote for Bob”
  • System prints encryption and signs it
  • Voter: “I want to audit this encryption”
  • System shows that it encrypted vote for Alice
  • Voter knows system cheated, but no proof of “Vote for Bob”
  • Recall: paper-ballot E2E systems provide interactive protocol with write-once tape, proof of vote for audit


electronic audit1
Electronic Audit
  • If we keep hard copy record, then has to be destroyed if voter chooses to vote, not audit
  • All public solutions to this problem require
    • Second channel for secret information to voter


    • Observers during audit: is this possible without voting system detecting an audit?
open problems
Open Problems
  • Secure bulletin board with minimal voter involvement
  • Techniques For:
    • Prevention of ballot-box stuffing
    • Outcome correctness independent of number of voters who check (Nandi and Vora, ICISS 2010, to appear)
  • Electronic E2E systems
  • Rigorous (cryptographic) statements; proofs of protocol properties
  • Formal protocol models, formal verification
    • Crypto only useful for audit, not for prevention of fraud
  • Reliability and recovery
  • Accessible systems, including the ability of voters with visual disabilities to check outcome


Carback, Chaum, Clark, Essex, van de Graaf, Hall, Hosp, Lowry, Nandi, Popoveniuc, Rivest, Ryan, Shen, Sherman

At NIST: Hastings, Kelsey, Laskowski, Peralta, Popoveniuc, Regenscheid

Help with Takoma Park election:

City Clerk and Board of Elections, Takoma Park

Independent auditors: Adida, Coney, Zagórski

Survey: Baumeister

Others: Florescu, Jones, Relan, Rubio, Sonawane,

Support: NSF IIS 0505510, NSF CNS 0831149, NSF CNS 0937267

School of Engineering and Applied Science, GW: start-up funds