helios - real-world open-audit voting

Heliosreal-world

open-audit votingBen Adida

Harvard University

Workshop on Electronic VotingTel Aviv University

18 May 2009

http://www.cs.uiowa.edu/~jones/voting/pictures/ 2

Who countsthe votes?

http://www.cs.uiowa.edu/~jones/voting/pictures/ 4

Democratizingthe Tallying Process

+ secrecy

Bulletin Board

Public Ballots

Bob:McCain

Carol:Obama

6

Bulletin Board

Public Ballots

Bob:McCain

Carol:Obama

Alice

6

Bulletin Board

Public Ballots

Alice:Obama

Bob:McCain

Carol:Obama

Alice

6

Bulletin Board

Public Ballots

Alice:Obama

Bob:McCain

Carol:Obama

Tally

Obama....2McCain....1

Alice

6

Encrypted Public BallotsBulletin Board

Alice:Rice

Bob:Clinton

Carol:Rice

Tally

Obama....2McCain....1

Alice

7

Encrypted Public BallotsBulletin Board

Alice:Rice

Bob:Clinton

Carol:Rice

Tally

Obama....2McCain....1

Alice

Alice verifies her vote

7

Encrypted Public BallotsBulletin Board

Alice:Rice

Bob:Clinton

Carol:Rice

Tally

Obama....2McCain....1

Alice

Alice verifies her vote Everyone verifies the tally

7

How can we verify operations on

encrypted data?

Mathematical Proofs.

8

Zero-Knowledge Proof

Vote For:

Obama

President:

Mickey MousePresident:

Mickey MousePresident:

Mickey MousePresident:

Mickey MousePresident:

Mickey MousePresident:

Mickey MouseVote For: Obama

9

Zero-Knowledge Proof

Vote For:

Obama

President:

Mickey MousePresident:

Mickey MousePresident:

Mickey MousePresident:

Mickey MousePresident:

Mickey MousePresident:

Mickey MouseVote For: Obama

9

Zero-Knowledge Proof

This last envelope likely contains “Obama”

Vote For:

Obama

President:

Mickey MousePresident:

Mickey MousePresident:

Mickey MousePresident:

Mickey MousePresident:

Mickey MousePresident:

Mickey MouseVote For: Obama

9

Zero-Knowledge Proof

Open envelopes don’t proveanything after the fact.

President:

Mickey MousePresident:

Mickey MousePresident:

Mickey MousePresident:

Mickey MousePresident:

Mickey MousePresident:

Mickey MouseVote For: Obama

President:

Mickey MousePresident:

Mickey MousePresident:

Mickey MousePresident:

Mickey MousePresident:

Mickey MousePresident:

Mickey MouseVote For:

Paul

10

McCain

“And there are cryptographic techniques that can be used to

achieve software independence so that even if there's a bug in the

software, you'll detect if there's a problem. But those are not ready for

prime time in my opinion.”

Avi Rubin, 7/9/2008

“But with cryptography, you’re just moving the black box. Few people really

understand it or trust it.”

Debra BowenCalifornia Sec. of State, 7/30/2008

(paraphrased)

Where to Start?

Most Open-Audit schemes

Complex voting process

In-person voting

Few can experience it

Helios

Simplify

Low-coercion elections

Web-based: all can experience

“Low-Coercion?”

- A more appropriate term might be“stratified coercion”

- If the voting public is a subset of the population, there may be inherent limits to coercion.

- e.g. university voting

- e.g. EFCA in the US

Technical Concepts

Technical Concepts

- Probabilistic Encryption & Threshold Decryption.posting ciphertexts safely on a bulletin board

Technical Concepts

- Probabilistic Encryption & Threshold Decryption.posting ciphertexts safely on a bulletin board

- Homomorphic Tallying.no write-ins, proofs of correct plaintext

Technical Concepts

- Probabilistic Encryption & Threshold Decryption.posting ciphertexts safely on a bulletin board

- Homomorphic Tallying.no write-ins, proofs of correct plaintext

- Benaloh Challenge.cast or audit, authenticate only upon cast

Technical Concepts

- Probabilistic Encryption & Threshold Decryption.posting ciphertexts safely on a bulletin board

- Homomorphic Tallying.no write-ins, proofs of correct plaintext

- Benaloh Challenge.cast or audit, authenticate only upon cast

- In-Browser Encryption.plaintext only in user’s browser

Probabilistic Encryption & Threshold Decryption

Public-Key Encryption

Public-Key Encryption

Keypair consists of a public key and a secret key .skpk

Public-Key Encryption

Keypair consists of a public key and a secret key .skpk

"Obama" 8b5637Encpk

Public-Key Encryption

Keypair consists of a public key and a secret key .skpk

"Obama" 8b5637Encpk

c5de34Encpk"McCain"

Public-Key Encryption

Keypair consists of a public key and a secret key .skpk

"Obama" 8b5637Encpk

c5de34Encpk"McCain"

a4b395Encpk"Obama"

Threshold Decryption

8b5637

Secret key is shared amongst multiple parties:all (or at least a quorum) need to cooperate to decrypt.

Threshold Decryption

8b5637

b739cbDecsk1

Secret key is shared amongst multiple parties:all (or at least a quorum) need to cooperate to decrypt.

Threshold Decryption

8b5637

b739cbDecsk1

261ad7Decsk2

Secret key is shared amongst multiple parties:all (or at least a quorum) need to cooperate to decrypt.

Threshold Decryption

8b5637

b739cbDecsk1

261ad7Decsk2

7231bcDecsk3

Secret key is shared amongst multiple parties:all (or at least a quorum) need to cooperate to decrypt.

Threshold Decryption

8b5637

b739cbDecsk1

261ad7Decsk2

7231bcDecsk3

8239baDecsk4

Secret key is shared amongst multiple parties:all (or at least a quorum) need to cooperate to decrypt.

Threshold Decryption

8b5637

b739cbDecsk1

261ad7Decsk2

7231bcDecsk3

8239baDecsk4

Secret key is shared amongst multiple parties:all (or at least a quorum) need to cooperate to decrypt.

"Obama"

Homomorphic Tallying

Homomorphic Property

22

First: r’th residuosity [Benaloh85]Also: Paillier Cryptosystem [P99]

Homomorphic Property

22

First: r’th residuosity [Benaloh85]Also: Paillier Cryptosystem [P99]

Enc(m1)! Enc(m2) = Enc(m1 + m2)

Homomorphic Property

22

First: r’th residuosity [Benaloh85]Also: Paillier Cryptosystem [P99]

Enc(m1)! Enc(m2) = Enc(m1 + m2)

Homomorphic Property

22

then we can simplyadd votes “under cover” of encryption!

First: r’th residuosity [Benaloh85]Also: Paillier Cryptosystem [P99]

Enc(m1)! Enc(m2) = Enc(m1 + m2)

Vote for Adam

Vote for Bob

Vote for Charlie0000 0001 00000000

0001 0000 00000000

0000 0000 00000001

Vote for David0000 0000 00010000

0004 0001 0008 0002 Sample Tally

[B+2001, P1999]

Homomorphic TallyVote for None

Vote for Obama

Vote for McCain

0003 0006 0005

23

BenalohCasting Protocol

http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg

Alice

http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg

Alice

http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg

"Obama"

Alice

EncryptedBallot

http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg

"Obama"

Alice

EncryptedBallot

Alice

http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg

"Obama"

"AUDIT"

Alice

EncryptedBallot

Alice

http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg

"Obama"

"AUDIT"

Alice

EncryptedBallot

Alice

DecryptedBallot

http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg

"Obama"

"AUDIT"

Alice

EncryptedBallot

Alice

DecryptedBallot

http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg

DecryptedBallot

EncryptedBallot

VERIFICATION

"Obama"

"AUDIT"

Alice

EncryptedBallot

Alice

DecryptedBallot

http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg

DecryptedBallot

EncryptedBallot

VERIFICATION

"Obama"

"AUDIT"

Alice

EncryptedBallot

Alice

DecryptedBallot

http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg

DecryptedBallot

EncryptedBallot

VERIFICATION

"Obama"

"AUDIT"

Alice

EncryptedBallot

Alice

DecryptedBallot

Alice

http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg

DecryptedBallot

EncryptedBallot

VERIFICATION

"Obama"

"AUDIT"

Alice

EncryptedBallot

Alice

DecryptedBallot

Alice

"CAST"

http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg

DecryptedBallot

EncryptedBallot

VERIFICATION

"Obama"

"AUDIT"

Alice

EncryptedBallot

Alice

DecryptedBallot

Alice

"CAST"

SignedEncryptedBallot

http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg

DecryptedBallot

EncryptedBallot

VERIFICATION

"Obama"

"AUDIT"

Alice

EncryptedBallot

Alice

DecryptedBallot

Alice

"CAST"

SignedEncryptedBallot

Alice

http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg

DecryptedBallot

EncryptedBallot

VERIFICATION

"Obama"

"AUDIT"

Alice

EncryptedBallot

Alice

DecryptedBallot

Alice

"CAST"

SignedEncryptedBallot

Alice

http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg

SignedEncryptedBallot

DecryptedBallot

EncryptedBallot

VERIFICATION

"Obama"

Helios System Details

Helios System Details

- Python & JavaScript logic & crypto

Helios System Details

- Python & JavaScript logic & crypto

- Free/Open-Source stack

Helios System Details

- Python & JavaScript logic & crypto

- Free/Open-Source stack

- Deployed on Google App Engine

Helios System Details

- Python & JavaScript logic & crypto

- Free/Open-Source stack

- Deployed on Google App Engine

- Deployed on Apache/Python/PostgreSQL

Helios System Details

- Python & JavaScript logic & crypto

- Free/Open-Source stack

- Deployed on Google App Engine

- Deployed on Apache/Python/PostgreSQL

- Customizableauthentication, look-and-feel, translations

So, does it work?

- Université catholique de Louvain

- 25,000 eligible voters

- University president election

- Helios 2.0, optimized

- customized for UCL (French, improved UI)

28

29

30

31

0 2 4 6 8 10 12 14 16 18 20 22

Time [h]

0

100

200

300

400

500

Num

ber

of vote

s p

er

hour

DAY 1

1st round

2nd round

0 2 4 6 8 10 12 14 16 18 20 22

Time [h]

0

100

200

300

400

500

Num

ber

of

vote

s p

er

hour

DAY 2

1st round

2nd round

0 2 4 6 8 10 12 14 16 18 20 22

Time [h]

0

500

1000

1500

2000

2500

3000

3500

4000

Tota

l num

ber

of

vote

s

DAY 1 1st round

2nd round

0 2 4 6 8 10 12 14 16 18 20 22

Time [h]

0

500

1000

1500

2000

2500

3000

3500

4000

Tota

l num

ber

of

vote

s

DAY 2 1st round

2nd round

32

32

32

Most Interesting Lesson: spurious claims

are easily countered

brief demo

Questions?ben_adida@harvard.edu

http://heliosvoting.org/