truly verifiable elections

Truly Verifiable Voting

Ben AdidaHarvard University

MSR Voting Technology Workshop19 March 2010

“If you think cryptographyis the solution

to your problem....

2

... then youdon’t understandcryptography...

3

... and you don’t understand your

problem.”

Yet, cryptography solves problems that initially

appear to be impossible.

4

There is apotential paradigm shift.

A means ofelection verificationfar more powerful

than other methods.5

“But with cryptography, you’re just moving the black box. Few people really

understand it or trust it.”

Debra BowenCalifornia Sec. of State, 7/30/2008

(paraphrased)

6

7

time

DREcode

ElectionResults

election

Three Points

8

1. Voting is a unique trust problem.

2. Cryptography is not just about secrets,it enables collaboration w/o blind trust,it democratizes auditing processes.

3. Truly Verifiable Voting is closing in on practicality.

1.Voting is a unique

trust problem.

9

“Swing Vote”

terrible movie.hilarious ending.

10

Wooten got the news from his wife, Roxanne, who went to City Hall on Wednesday

to see the election results.

"She saw my name with zero votes by it.She came home and asked me ifI had voted for myself or not."

11

14

Bad Analogies

Not just thatATMs and planes are vulnerable(they are, but that’s not the point)

It’s that voting is much harder.

15

Bad AnalogiesAdversaries➡ pilots vs. passengers (airline is on your side, I think.)➡ banking privacy is only voluntary:

you are not the enemy.

Failure Detection & Recover➡ plane crashes & statements vs. 2% election fraud➡ Full banking receipts vs. destroying election evidence

Imagine➡ a bank where you never get a receipt.➡ an airline where the pilot is working against you.

Ballot secrecyconflicts with auditing,

cryptographycan reconcile them.

16

http://www.cs.uiowa.edu/~jones/voting/pictures/ 17

http://www.cs.uiowa.edu/~jones/voting/pictures/

http://www.cs.uiowa.edu/~jones/voting/pictures/

VotingMachine

2

Vendor

/*

* source

* code

*/

if (...

1

Polling Location

3

Ballot Box Collection

5

Results

.....6

4

Alice

Black Box

18

Chain of Custody

19

2.Cryptography is notjust about secrets,

it enables collaboration w/o blind trust.

21

22

Initially,cryptographers

re-createdphysical processesin the digital arena.

23

Then, a realization: cryptography enables a new voting paradigm

Secrecy + Auditability.

Bulletin Board

Public Ballots

Alice:Obama

Bob:McCain

Carol:Obama

Tally

Obama....2McCain...1

Alice

24

Encrypted Public BallotsBulletin Board

Alice:Rice

Bob:Clinton

Carol:Rice

Tally

Obama....2McCain...1

Alice

Alice verifies her vote Everyone verifies the tally

25

End-to-End Verification

Polling Location

VotingMachine

Vendor

/*

* source

* code

*/

if (...

Receipt

1 2

Ballot Box /

Bulletin Board

Alice

Results

.....

26

Democratizing Audits

27

Each voter is responsible for checkingtheir receipt (no one else can.)

Anyone, a voter or a public org,can audit the tally andverify the list of cast ballots.

Thus, “open-audit” ortruly-verifiable voting

NO!

Increased transparencywhen some data

must remain secret.28

So, yes, we encrypt,and then we work with the encrypted data in public, so

everyone can see.

In particular, because the vote is encrypted, it can remain labeled with voter’s name.

29

“Randomized” EncryptionKeypair consists of a public key and a secret key .skpk

"Obama" 8b5637Encpk

c5de34Encpk"McCain"

a4b395Encpk"Obama"

30

Threshold Decryption

8b5637

b739cbDecsk1

261ad7Decsk2

7231bcDecsk3

8239baDecsk4

Secret key is shared amongst multiple parties:all (or at least a quorum) need to cooperate to decrypt.

"Obama"

31

Homomorphic Encryption

32

then we can simplyadd “under cover” of encryption!

Enc(m1)× Enc(m2) = Enc(m1 + m2)

gm1 × gm2 = gm1+m2

Mixnets

33

Each mix server “unwraps”a layer of this encryption onion.

c = Encpk1 (Encpk2 (Encpk3 (m)))

Proving certain details while keeping others secret.

Proving a ciphertext encodes a given message

without revealingits random factor.

34

Zero-Knowledge Proof

This last envelope likely contains “Obama”

Vote For:

Obama

President:

Mickey MousePresident:





Mickey MouseVote For: Obama

35

Zero-Knowledge Proof

Open envelopes don’t proveanything after the fact.

President:






Mickey MouseVote For: Obama

President:






Mickey MouseVote For:

Paul

36

McCain

A little bit more math

37

y = gx mod p

S = gr mod p

c

t = xc + rgt ?= Syc

does this prove anything?

38

y = gx mod p

S = gr mod p

c

t = xc + r

c

t = xc + r

what’s so special about it?

39

y = gx mod p

S = gr mod p

c

t = xc + r

gt ?= Syc

Electronic Experience

40

Voter interacts with a voting machine

Obtains a freshly printed receiptthat displays the encrypted ballot

Takes the receipt home and uses itas a tracking number.

Receipts posted for public tally.

Alice

Voting Machine

Encrypted Vote

Paper Experience

41

paper ballots with indirectionbetween candidate and choice

break the indirection (tear, detach)for effective encryption

take receipt home and use itas tracking number.

receipts posted for public tally.q r m x

Adam - x

Bob - q

Charlie - r

David - m

q r m x

8c3sw

Adam - x

Bob - q

Charlie - r

David - m

8c3sw

q r m x

8c3sw

8c3sw

David

Adam

Bob

Charlie

_______

_______

_______

_______

David

Adam

Bob

Charlie

_______

_______

_______

_______

8c3sw

3.Cryptography-based Voting

(Truly Verifiable Voting) is closing in on practicality.

42

Benaloh Casting

43

"AUDIT"

Alice

EncryptedBallot

Alice

DecryptedBallot

Alice

"CAST"

SignedEncryptedBallot

Alice

SignedEncryptedBallot

DecryptedBallot

EncryptedBallot

VERIFICATION

"Obama"

Many more great ideasNeff ’s MarkPledge➡ high-assurance, human-verifiable, proofs of correct encryption

Prêt-à-Voter by Ryan et al.➡ elegant, simple, paper-based

STV: Ramchen, Teague, Benaloh & Moran.➡ handling complex election styles

Scantegrity I & II➡ closely mirrors opscan voting

44

Deployments!

Scantegrity II @ Takoma Parkreal municipal elections

Université catholique de Louvain25,000 voters

Scratch, Click & Vote

45

Three Points

46

1. Voting is a unique trust problem.

2. Cryptography is not just about secrets,it enables collaboration w/o blind trust,it democratizes the auditing process.

3. Truly Verifiable Voting is closing in on practicality.

My Fear :

computerization of voting is inevitable.

without true verifiability,the situation is grim.

47

My Hope:public auditing proofs

will soon be as common aspublic-key crypto is now.

48

Challenges

49

Ed Felten: “you have no voter privacy, deal with it.”

Questions?

50

truly verifiable elections

Technology

mickey mousepresident

mickey mouse president

mickey mousevote

mickey mouse vote

mickey mouse obama vote

code voting

g r mod pt

public key pk