Pret a Voter

Cast, but verifyCan voters check that their e-vote is cast as they intendedand properly included in an accurate count?

Vanessa TeagueUniversity of Melbournevjteague@unimelb.edu.auCIS department seminar, March 14

35 mins1Why verifiable voting?Whats wrong with this picture?

Electoral Commission server with decryption keyVotersPCsEncrypted votesElection outcomeRSARSARSAThe challengeVote privacy is relatively easyUsing standard crypto and a completely trusted decryption & counting systemVerifiability is relatively easyIf you dont care about privacy: just make all the votes publicThe challenge is to do both:verifiably accurate results that preserve privacyElectronic election verificationEach voter can check that their vote matches their intentionEven if the computer theyre using is compromisedEveryone can check that the votes were properly handled after castingNot in this talkDetails about privacyVerifying the counting softwaree.g. Rajeev Gors work on EVACS.Other important requirementsUsability, robustness, security from outside attack, OutlineOn the InternetNSW (Everyone Counts)Norway (Gjsteen, Scytl)Helios (Adida, de Marneffe, Pereira et al.)In the polling placeVEC verifiable system based on prt voterElectronic ballot markers (WA, Tas, proposed NSW)

Turnbull video5iVote (NSW) 2011

Voters log in again later toquery the system and seeif they get the right verificationnumber back Verif1Verif1Verif2Verif2Verif3Verif3iVote video6iVote 2015A new version is proposed for 2015 NSW state electionVoter sends vote to server using plain SSL/TLS againEach voter checks their vote (unencrypted) with an auditorBut dont worry, the auditor cant possibly tell who you are just by looking at your IP addressAuditor promises to check that they all go properly into the countSee draft design athttp://www.elections.nsw.gov.au/__data/assets/pdf_file/0003/125454/iVote_Strategy_for_SGE_2015_amd_1.pdf

iVote (proposed NSW) 2015

Plaintext vote check with auditor

AuditorTLSTLSElectoral CommissioniVote video8OutlineOn the InternetNSW (Everyone Counts)Norway (Gjsteen, Scytl)Helios (Adida, de Marneffe, Pereira et al.)In the polling placeVEC verifiable system based on prt voterElectronic ballot markers (WA, Tas, proposed NSW)

Turnbull video9NorwayA partially-verifiable Internet voting schemeUsed in recent Norwegian local & parliamentary electionsOpenly-available source code with public docs & papersUses Norwegian government electronic ID schemeImplemented by ScytlExample 3: NorwayEach voter gets a code sheet by snail mailEveryones code sheet is differentVoters PC encrypts party name, sends to serverAuthorities SMS party code to voters mobile phoneCorrupt PC cant lie about your vote undetectablyUnless it learns the codesRedGreenChequered FuzzyCross

Yellow349234898934351392530114NorwayAn admirable processPublic consultation, open source code, academic review, honesty about problemsStill some gaps in the protocolBut at least they know what they areAnd some bugs in the implementationBut theres a process for finding and fixing themThe open process allows for a scientific discussion based on facts & careful analysis

OutlineOn the InternetNSW (Everyone Counts)Norway (Gjsteen, Scytl)Helios (Adida, de Marneffe, Pereira et al.)In the polling placeVEC verifiable system based on prt voterElectronic ballot markers (WA, Tas, proposed NSW)

Turnbull video13HeliosAn end-to-end verifiable Internet voting schemeBy Adida, de Marneffe, PereiraSource code and docs at heliosvoting.orgUsed by the IACR in their board electionsEach voter can verify that their vote is cast as they intendedProperly included in the countAnyone can verify that all the included votes are properly decrypted and talliedOne-page reminder about public key cryptoThe receiver generates two keys: a public key e (for encrypting), anda private key d (for decrypting)She publicises the public key ePeople use this for encrypting messagesThey also include some randomness rCiphertextC = Ence(msg, r)She keeps the private key d secret She uses this for decrypting messagesHelios: cast-as-intended verificationYou dont trust your PC to encrypt the right thingYou do trust your PC for privacyAsk your PC to produce lots of (different) encrypted votesIt doesnt know which one youre going to usePhotograph them, print them, or send them to other devicesAsk your PC to open all but one of themi.e. to tell you the randomness r it used for encryptingGet the other devices to check the encryption was rightThey just recompute Ence(msg, r)Cast the one you didnt openSo your privacy is preservedSo why not use Helios for Aus government elections?Difficulty of cast-as-intended protocolVoters need to understand it to get it rightExtension to STV ballots with 97 peopleComputational scalabilityInternet Voting: summaryThere is no end-to-end verifiable Internet voting scheme thatsUsable for ordinary votersAdaptable to Australian-style preferential electionsAnd we havent even talked aboutAuthenticating the votersPreserving privacyOutlineOn the InternetNSW (Everyone Counts)Norway (Gjsteen, Scytl)Helios (Adida, de Marneffe, Pereira et al.)In the polling placeVic verifiable system based on prt voterVotingChecking from home that your vote is thereVerifying shuffling and decryptionPrivacyElectronic ballot markers (WA, Tas, proposed NSW)

19The Victorian Electoral Commissions polling-place voting systemIve done a lot of work on this projectBut am not representing the VECs official position in any wayBased on the prt voter end-to-end verifiable voting scheme (Ryan, Schneider, Chaum)Implemented by a team at U Surrey (Culnane, Heather, Schneider)With some help from the VEC (Burton)This scheme is end-to-end verifiableExcept that the point its output is joined in with the rest of the ballots is observable only by scrutineers

Victoria polling-place 2014 contdEach voter gets a human-readable printout to checkThe printout is transformed into an encrypted receiptThe voter gets evidence that this is the vote they intendedWithout being able to prove to others how they votedVoter takes their encrypted receipt homechecks that its in the accepted listThe accepted list is shuffled & decrypted with a mathematical proof of correctnessWhich anyone can checkSource code at https://bitbucket.org/vvotePrt VoterUses pre-prepared paper ballot forms that encode the vote in familiar form.The candidate list is randomised for each ballot form.Information defining the candidate list is encrypted in an onion value printed on each ballot form.Actually, we print a serial number that points to the encrypted values in a public tableRedGreenChequeredFuzzyCross$rJ9*mn4R&8

Ballot auditingEach voter can challenge as many ballots as they likeAnd get a proof that the onion matches the candidate listThen dont use that ballotThen vote on an unchallenged oneSo you cant prove how you voted

RedGreenChequeredFuzzyCross$rJ9*mn4R&8

VotingFill in the boxes as usualUse a computer to helpCheck its printoutAgainst candidate listShred candidate listComputer uploads voteSame info as on printoutTake printout homeIt doesnt reveal the vote

$rJ9*mn4R&8RedGreenChequeredFuzzyCross$rJ9*mn4R&8

12345 OutlineOn the InternetNSW (Everyone Counts)Norway (Gjsteen, Scytl)Helios (Adida, de Marneffe, Pereira et al.)In the polling placeVic verifiable system based on prt voterVotingChecking from home that your vote is thereVerifying shuffling and decryptionPrivacyElectronic ballot markers (WA, Tas, proposed NSW)

Turnbull video25Checking from home that your vote is thereTheres a public website listing all the receiptsMore precisely, theres a bulletin board which is a public website augmented with some evidence that everyone sees the same dataFind yours

OutlineOn the InternetNSW (Everyone Counts)Norway (Gjsteen, Scytl)Helios (Adida, de Marneffe, Pereira et al.)In the polling placeVic verifiable system based on prt voterVotingChecking from home that your vote is thereVerifying shuffling and decryptionPrivacyElectronic ballot markers (WA, Tas, proposed NSW)

Turnbull video27Verifying shuffling and decryptionNow we have a list of encrypted votesOn a public websiteEncrypted, and linked to voters identitiesBecause each voter still holds their receiptWe want toShuffle the votesTo break the link with voter IDDecrypt the votesProve that this was done correctlyWhats public-key cryptography?The receiver generates two keys: a public key e (for encrypting), anda private key d (for decrypting)She publicises the public key ePeople use this for encrypting messagesThey also include some randomnessShe keeps the private key d secret She uses this for decrypting messagesPicture of public-key cryptography

SenderReceiverRSARSARe-randomising encryptionWithout knowing the secret key, re-do the randomness used in the encryptionThe message stays the sameBut the new encryption cant be linked to the old one

Randomised partial checkingBy Jakobsson, Juels & RivestSignificant improvements by WikstrmWe cant (completely) prevent a hacker from breaking in to all the computers and changing the votes, butWe can check the process thoroughly enough to be confident that If the checks succeed thenThe system produced the right outputWith very high probabilityRandomised partial checking A pair of mix servers shuffle and rerandomiseChoose randomly to prove the link to start or end

Provable decryption stepTrust me, this can be doneUsing chaum-pedersen proofs of dlog equalityShowing proper decryption of El Gamal ciphertext given El Gamal public key

OutlineOn the InternetNSW (Everyone Counts)Norway (Gjsteen, Scytl)Helios (Adida, de Marneffe, Pereira et al.)In the polling placeVic verifiable system based on prt voterVotingChecking from home that your vote is thereVerifying shuffling and decryptionPrivacyElectronic ballot markers (WA, Tas, proposed NSW)

Turnbull video35PrivacyWhenever you have a computer helping you fill in your vote, that computer is a privacy riskSo is the ballot printerThere are some clever schemes for verifiable voting that dont tell your computer how you votede.g. the plain version of prt voter in which you fill in the ballot with a pencilBut none of them work with 30-candidate STVThis scheme does about the best I can imagine at preserving privacy while providing a usable 30-candidate STV voteSummaryThis provides a rigorous after-the-fact argument that the answer was right (with high probability)To the court wed sayWe worked really hard to make sure the software was correctWe worked really hard to make the computers secureBut even if these were not perfect:The voters & the public could check the integrity of the data directlyAnd the scrutineers can reconcile that with the rest of the countAnd would have detected a manipulation with high probability

FeedbackIf youd like to write your own proof checker, verifier, signature checker, etc, for vVote, please come and talk to me,If you think youve found a bug, please come and talk to me,If you read the supporting materials and you think youve found a bug, please come and talk to me.

OutlineOn the InternetHelios (Adida, de Marneffe, Pereira et al.)NSW (Everyone Counts)Norway (Gjsteen, Scytl)In the polling placeVEC verifiable system based on prt voterElectronic ballot markers (WA, Tas, proposed NSW)

Turnbull video39A human-readable paper recordSo the voter can check directly that their vote is cast as they intendedElectronic ballot markerVote on a computer, print your vote, put it in a ballot boxIn use in WA & Tas, proposed in NSWGood for voters who need assistance and also for validity checking for everyoneConclusionVerifiable Internet voting is an unsolved problemVerifiable polling-place voting has several sensible solutionsBut there are important details in extending them to Australian votingSo what happens now?The AEC recently produced a discussion paper on Internet votinghttp://www.eca.gov.au/media/18-09-13.htm"7.8 As noted in Part 1, the extent to which it can be guaranteed that votes cast on the internet will not be susceptible to interference of one form or another has been a matter of vigorous dispute. This paper takes no stand on that issue,..."

"7.17 The need for new transparency mechanisms to replace those associated with the paper ballot remains a matter of fundamental importance, and one which will rise in significance in direct proportion to the number of people actually using internet voting. Elaboration of such mechanisms is beyond the scope of this paper."