Post on 19-May-2015
description
Cryptographyand Voting
Ben AdidaHarvard University
EVT & WOTEAugust 11th, 2009Montreal, Canada
“If you think cryptographyis the solution
to your problem....
2
... then youdon’t understandcryptography...
3
... then youdon’t understandcryptography...
3
... and you don’t understand your
problem.”-Peter, Butler, Bruce
Yet, cryptography solves problems that initially
appear to be impossible.
4
There is apotential paradigm shift.
A means ofelection verificationfar more powerful
than other methods.5
Three Points
6
1. Voting is a unique trust problem.
2. Cryptography is not just about secrets,it creates trust between competitors,it democratizes the auditing process.
3. Open-Audit Voting is closing in on practicality.
1.Voting is a unique
trust problem.
7
“Swing Vote”
terrible movie.hilarious ending.
8
Wooten got the news from his wife, Roxanne, who went to City Hall on Wednesday
to see the election results.
"She saw my name with zero votes by it.She came home and asked me ifI had voted for myself or not."
9
10
11
12
Bad Analogies
Dan Wallach’s great rump session talk.
More than thatATMs and planes are vulnerable(they are, but that’s not the point)
It’s that voting is much harder.
13
Bad AnalogiesAdversaries➡ pilots vs. passengers (airline is on your side, I think.)➡ banking privacy is only voluntary:
you are not the enemy.
Failure Detection & Recover➡ plane crashes & statements vs. 2% election fraud➡ Full banking receipts vs. destroying election evidence
Imagine➡ a bank where you never get a receipt.➡ an airline where the pilot is working against you.
Ballot secrecyconflicts with auditing,
cryptographycan reconcile them.
14
http://www.cs.uiowa.edu/~jones/voting/pictures/ 15
16
Vendor
/*
* source
* code
*/
if (...
1
16
VotingMachine
2
Vendor
/*
* source
* code
*/
if (...
1
16
VotingMachine
2
Vendor
/*
* source
* code
*/
if (...
1
Polling Location
3
16
VotingMachine
2
Vendor
/*
* source
* code
*/
if (...
1
Polling Location
3
4
Alice
16
VotingMachine
2
Vendor
/*
* source
* code
*/
if (...
1
Polling Location
3
4
Alice
16
VotingMachine
2
Vendor
/*
* source
* code
*/
if (...
1
Polling Location
3
Ballot Box Collection
5
4
Alice
16
VotingMachine
2
Vendor
/*
* source
* code
*/
if (...
1
Polling Location
3
Ballot Box Collection
5
Results
.....6
4
Alice
16
VotingMachine
2
Vendor
/*
* source
* code
*/
if (...
1
Polling Location
3
Ballot Box Collection
5
Results
.....6
4
Alice
Black Box
16
Chain of Custody
Chain of Custody
Chain of Custody
Chain of Custody
Chain of Custody
18
Initially,cryptographers
re-createdphysical processesin the digital arena.
19
Then, a realization: cryptography enables a new voting paradigm
Secrecy + Auditability.
20
Bulletin Board
Public Ballots
Bob:McCain
Carol:Obama
21
Bulletin Board
Public Ballots
Bob:McCain
Carol:Obama
Alice
21
Bulletin Board
Public Ballots
Alice:Obama
Bob:McCain
Carol:Obama
Alice
21
Bulletin Board
Public Ballots
Alice:Obama
Bob:McCain
Carol:Obama
Tally
Obama....2McCain....
1Alice
21
Encrypted Public BallotsBulletin Board
Alice:Rice
Bob:Clinton
Carol:Rice
Tally
Obama....2McCain....
1Alice
22
Encrypted Public BallotsBulletin Board
Alice:Rice
Bob:Clinton
Carol:Rice
Tally
Obama....2McCain....
1Alice
Alice verifies her vote
22
Encrypted Public BallotsBulletin Board
Alice:Rice
Bob:Clinton
Carol:Rice
Tally
Obama....2McCain....
1Alice
Alice verifies her vote Everyone verifies the tally
22
End-to-End Verification
End-to-End Verification
Polling Location
VotingMachine
Vendor
/*
* source
* code
*/
if (...
End-to-End Verification
Polling Location
VotingMachine
Vendor
/*
* source
* code
*/
if (...
Ballot Box /
Bulletin Board
Alice
End-to-End Verification
Polling Location
VotingMachine
Vendor
/*
* source
* code
*/
if (...
Ballot Box /
Bulletin Board
Alice
Results
.....
End-to-End Verification
Polling Location
VotingMachine
Vendor
/*
* source
* code
*/
if (...
Receipt
1
Ballot Box /
Bulletin Board
Alice
Results
.....
End-to-End Verification
Polling Location
VotingMachine
Vendor
/*
* source
* code
*/
if (...
Receipt
1 2
Ballot Box /
Bulletin Board
Alice
Results
.....
Democratizing Audits
24
Each voter is responsible for checkingtheir receipt (no one else can.)
Anyone, a voter or a public org,can audit the tally andverify the list of cast ballots.
Thus, OPEN-AUDIT Voting.
2.Cryptography is
not just about secrets,creates trust between
competitors.
25
NO!
Increased transparencywhen some data
must remain secret.26
So, yes, we encrypt,and then we operate on the encrypted data in public, so
everyone can see.
In particular, because the vote is encrypted, it can remain labeled with voter’s name.
27
“Randomized” Encryption
28
“Randomized” EncryptionKeypair consists of a public key and a secret key .skpk
28
“Randomized” EncryptionKeypair consists of a public key and a secret key .skpk
"Obama" 8b5637Encpk
28
“Randomized” EncryptionKeypair consists of a public key and a secret key .skpk
"Obama" 8b5637Encpk
c5de34Encpk"McCain"
28
“Randomized” EncryptionKeypair consists of a public key and a secret key .skpk
"Obama" 8b5637Encpk
c5de34Encpk"McCain"
a4b395Encpk"Obama"
28
Threshold Decryption
8b5637
Secret key is shared amongst multiple parties:all (or at least a quorum) need to cooperate to decrypt.
29
Threshold Decryption
8b5637
b739cbDecsk1
Secret key is shared amongst multiple parties:all (or at least a quorum) need to cooperate to decrypt.
29
Threshold Decryption
8b5637
b739cbDecsk1
261ad7Decsk2
Secret key is shared amongst multiple parties:all (or at least a quorum) need to cooperate to decrypt.
29
Threshold Decryption
8b5637
b739cbDecsk1
261ad7Decsk2
7231bcDecsk3
Secret key is shared amongst multiple parties:all (or at least a quorum) need to cooperate to decrypt.
29
Threshold Decryption
8b5637
b739cbDecsk1
261ad7Decsk2
7231bcDecsk3
8239baDecsk4
Secret key is shared amongst multiple parties:all (or at least a quorum) need to cooperate to decrypt.
29
Threshold Decryption
8b5637
b739cbDecsk1
261ad7Decsk2
7231bcDecsk3
8239baDecsk4
Secret key is shared amongst multiple parties:all (or at least a quorum) need to cooperate to decrypt.
"Obama"
29
Homomorphic Encryption
30
Homomorphic Encryption
30
Enc(m1)! Enc(m2) = Enc(m1 + m2)
Homomorphic Encryption
30
Enc(m1)! Enc(m2) = Enc(m1 + m2)
Homomorphic Encryption
30
Enc(m1)! Enc(m2) = Enc(m1 + m2)
gm1 ! gm2 = gm1 +m2
Homomorphic Encryption
30
then we can simplyadd “under cover” of encryption!
Enc(m1)! Enc(m2) = Enc(m1 + m2)
gm1 ! gm2 = gm1 +m2
Mixnets
31
Each mix server “unwraps”a layer of this encryption onion.
c = Encpk1 (Encpk2 (Encpk3 (m)))
Proving certain details while keeping others secret.
Proving a ciphertext encodes a given message
without revealingits random factor.
32
Zero-Knowledge Proof
33
Zero-Knowledge Proof
Vote For:
Obama
President:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MouseVote For: Obama
33
Zero-Knowledge Proof
This last envelope likely contains “Obama”
Vote For:
Obama
President:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MouseVote For: Obama
33
Zero-Knowledge Proof
Open envelopes don’t proveanything after the fact.
President:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MouseVote For: Obama
President:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MouseVote For:
Paul
34
McCain
Electronic Experience
35
Voter interacts with a voting machine
Obtains a freshly printed receiptthat displays the encrypted ballot
Takes the receipt home and uses itas a tracking number.
Receipts posted for public tally.
Alice
Voting Machine
Encrypted Vote
Paper Experience
36
Pre-print paper ballots with some indirection betw candidate and choice
Break the indirection (tear, detach)for effective encryption
Take receipt home and use itas tracking number.
Receipts posted for public tally.q r m x
Adam - x
Bob - q
Charlie - r
David - m
q r m x
8c3sw
Adam - x
Bob - q
Charlie - r
David - m
8c3sw
q r m x
8c3sw
8c3sw
David
Adam
Bob
Charlie
_______
_______
_______
_______
David
Adam
Bob
Charlie
_______
_______
_______
_______
8c3sw
3.Cryptography-based Voting
(Open-Audit Voting) is closing in on practicality.
37
Benaloh Casting
38
Benaloh Casting
38
Alice
Benaloh Casting
38
Alice
"Obama"
Benaloh Casting
38
Alice
EncryptedBallot
"Obama"
Benaloh Casting
38
Alice
EncryptedBallot
Alice
"Obama"
Benaloh Casting
38
"AUDIT"
Alice
EncryptedBallot
Alice
"Obama"
Benaloh Casting
38
"AUDIT"
Alice
EncryptedBallot
Alice
DecryptedBallot
"Obama"
Benaloh Casting
38
"AUDIT"
Alice
EncryptedBallot
Alice
DecryptedBallot
DecryptedBallot
EncryptedBallot
VERIFICATION
"Obama"
Benaloh Casting
38
"AUDIT"
Alice
EncryptedBallot
Alice
DecryptedBallot
DecryptedBallot
EncryptedBallot
VERIFICATION
"Obama"
Benaloh Casting
38
"AUDIT"
Alice
EncryptedBallot
Alice
DecryptedBallot
DecryptedBallot
EncryptedBallot
VERIFICATION
"Obama"
Benaloh Casting
38
"AUDIT"
Alice
EncryptedBallot
Alice
DecryptedBallot
Alice
DecryptedBallot
EncryptedBallot
VERIFICATION
"Obama"
Benaloh Casting
38
"AUDIT"
Alice
EncryptedBallot
Alice
DecryptedBallot
Alice
"CAST"
DecryptedBallot
EncryptedBallot
VERIFICATION
"Obama"
Benaloh Casting
38
"AUDIT"
Alice
EncryptedBallot
Alice
DecryptedBallot
Alice
"CAST"
SignedEncryptedBallot
DecryptedBallot
EncryptedBallot
VERIFICATION
"Obama"
Benaloh Casting
38
"AUDIT"
Alice
EncryptedBallot
Alice
DecryptedBallot
Alice
"CAST"
SignedEncryptedBallot
Alice
DecryptedBallot
EncryptedBallot
VERIFICATION
"Obama"
Benaloh Casting
38
"AUDIT"
Alice
EncryptedBallot
Alice
DecryptedBallot
Alice
"CAST"
SignedEncryptedBallot
Alice
SignedEncryptedBallot
DecryptedBallot
EncryptedBallot
VERIFICATION
"Obama"
Many more great ideasNeff ’s MarkPledge➡ high-assurance, human-verifiable, proofs of correct encryption
Scantegrity➡ closely mirrors opscan voting
ThreeBallot by Rivest➡ teaching the concept of open-audit without deep crypto
STV: Ramchen, Teague, Benaloh & Moran.➡ handling complex election styles
Prêt-à-Voter by Ryan et al.➡ elegant, simple, paper-based
39
Deployments!
UCL (25,000 voters)
Scantegrity @ Takoma Park
SCV
40
Three Points
41
1. Voting is a unique trust problem.
2. Cryptography is not just about secrets,it creates trust between competitors,it democratizes the auditing process.
3. Open-Audit Voting is closing in on practicality.
My Fear :
computerization of voting is inevitable.without open-audit,the situation is grim.
42
My Hope:proofs for auditing
partially-secret processes will soon be as common as public-
key crypto is now.
43
Challenge:
44
Ed Felten: “you have no voter privacy, deal with it.”
Challenge:
44
Ed Felten: “you have no voter privacy, deal with it.”
Questions?45