Edinburgh 12 June 2008 P Y A Ryan Prêt à Voter 1 Trust and Security in Voting Systems Peter Y A...

Edinburgh12 June 2008

P Y A RyanPrêt à Voter

1

Trust and Security in Voting Systems

Peter Y A RyanNewcastle University



2

Outline

• The problem.

• Voter-verifiability.

• Overview of “Prêt à Voter”.

• Voter-verifiability without cryptography:– Randell/Ryan Pretty Good Democracy.– Rivest’s Three-Ballot scheme.

• Conclusions.



3

The Problem

• From the dawn of democracy it was recognised that people would try to corrupt the outcome of elections.

• Highly adversarial: system trying to cheat voters, voters trying to cheat the system, coercers trying to influence voters, voters trying to fool coercers etc.

• The Ancient Greeks used primitive gadgets to shift the trust from people (officials) to mechanical devices.

• In the US they have been using technological devices for voting for over a century: e.g., lever machines since 1887, punch cards, optical scans, touch screen etc. prompted by high instance of fraud with paper ballots!

• All have problems, see “Steal this Vote” Andrew Gumbel and “Brave New Ballot” by Avi Rubin.



4

“The Computer Ate my Vote”

• In the 2004 US presidential election, ~30% of the electorate used DRE, touch screen devices.

• Aside from the “thank you for your vote for Kerry, have a nice day” what assurance does the voter have that their vote will be accurately counted?

• What do you do if the count is called into question?

• We need to trust the software completely.• Voter Verifiable Paper Audit Trails (VVPAT) (the

“Mercuri method”) has been proposed. But paper trails are not infallible either.



5

The challenge

• Need high assurance that all votes are accurately recorded and counted-while maintaining ballot secrecy.

• The challenge is to reconcile these two conflicting requirements whilst minimising dependence on the components (booth devices, tellers, software, hardware, officials etc.) of the scheme.

• Above all, we seek to eliminate dependence on the software (Rivest’s “software independence”).

• Verify the election result not the voting system!• Needs to be usable and sufficiently understandable to be

widely trusted.



6

Secure distributed computation

• Voting, with ballot privacy, can be viewed as a special case of secure distributed computation:

• Several parties input secret data and want to compute a function of these inputs without revealing the inputs.

• Voting however has a number of special features, in particular it has to be very usable and public confidence in the outcome has to be very high, with minimal dependence. In particular, we try to avoid assuming that voters have trusted devices.



7

Remote vs Supervised

• Supervised voting: voter casts their vote in enforced isolation, e.g., in a booth in a polling station.

• Remote voting, e.g., internet, postal, telephone etc.

• In the remote context, isolation cannot be enforced, hence greater dangers of coercion.

• The bulk of the talk will be about supervised.



8

Hazards of e-voting!



9

Florida 2000



10

Election Requirements

• Elections should be “free and fair”.• Key requirements:

– Integrity/accuracy: • Each voter should be able to cast one vote.• the count must demonstrably accurately reflect the votes cast.

– Ballot secrecy: the way a voter cast their vote should only be known to the voter.

• Novel requirement:– Voter verifiability: the voter should be able to confirm that their

vote is accurately included in the count (without violating ballot secrecy).

• Ease of use, public understanding and trust, cost effective, scalable etc. etc…..



11

Assumptions

• For the purposes of the talk I will make many sweeping assumptions, notably:– An accurate electoral register is maintained.– Voters are properly authenticated.– Mechanisms are in place to prevent double voting.– Existence of a secure Web Bulletin Board.– Cryptographic algorithms are sufficiently secure.– And many more…..



12

Voter-verifiability in a nutshell

• At the time of casting, voters get a “protected receipt”.• Copies of the receipts are posted to a secure web

bulletin board. Voters can verify that their receipt is correctly posted.

• A verifiable tabulation is performed on the posted receipts.

• Checks are performed at each stage to detect any errors or corruption.

• Seek maximal transparency of the vote capture and counting.

• Typically achieved using crypto, but not always…..



13

Voting with commuting diagrams

E D = E-1

Mix

Ideal functionality

Receipts

Votes*Votei

Receipts*



14

Prêt à Voter

• Uses familiar, paper ballot forms with a list of candidates down the left hand side.

• Voters mark a against the candidate of choice, or perhaps rankings etc.

• The candidate list is randomised for each ballot form.

• Information defining the candidate list is buried cryptographically in a value printed on each ballot form.



15

Typical Ballot Sheet

Obelix

Asterix

Idefix

Panormix

Geriatrix

$rJ9*mn4R&8



16

Voter marks their choice

Obelix

Asterix Idefix

Panoramix

Geriatrix

$rJ9*mn4R&8



17

Voter’s Ballot Receipt

$rJ9*mn4R&8



18

The voting “ceremony”

• Scenario:– Voter enters the polling station and takes a ballot form at

random, sealed in an envelope.– Goes to a booth, extracts the ballot form and marks her choice.– She separates the left-hand and right-hand portions.– Discards the left hand portion that carries the candidate order.– Leaves the booth with the right hand portion, that constitutes the

receipt, and registers with an official.– A digital copy of the receipt is made and posted to the WBB. The

receipt is digitally signed and franked and returned to the voter.– She walks away contended clutching her receipt.



19

After the voting phase

– Once the election is closed, digital copies of the receipts are posted to the Web Bulletin Board (WBB).

– The voters can visit the WBB and confirm that their ballot appears correctly.

– Additionally, checks could be performed by independent entities between the (encrypted) paper audit trail and posted receipts.

– Ballots are repeatedly transformed and shuffled, then decrypted.

– All intermediate stages posted to the WBB and subjected to random audits.

– The count is performed in full view.



20

Remarks

• The receipt reveals nothing about the vote

• Vote casting (of encrypted receipts) can be in the presence of officials and observers (à la Française).

• An encrypted paper audit trail can be incorporated.

• Works for ranked, STV etc.



21

Anonymisation and tabulation

• Once the election has closed all the receipts are posted to the WBB, a set of tellers perform a cascade of robust anonymising mixes on the receipts:– Receipts are repeatedly transformed and shuffled. – After shuffling, the ballots are decrypted.– Final column shows the shuffled, decrypted votes.– All the intermediate stages are posted to the WBB for

subsequent audit.– Any link between the original receipts and the

decrypted values is lost in the multiple shuffles.



22

Teller 1

Teller 2

Batch 1 Batch 2 Batch 3



23

But stuff happens…

• Fine as long as we are happy to trust “The Authority”, the tellers etc.

• But we want to avoid having to trust anyone or anything.• For the accuracy requirement:

– Ballot forms may be incorrectly constructed, leading to incorrect encoding of the vote.

– Ballot receipts could be corrupted before they are entered in the tabulation process.

– Tellers may perform the shuffles and decryption incorrectly.

• We now outline the error/corruption detection mechanisms.



24

Checking the ballot forms

• It is essential for the correct encoding of the vote that the information buried in the onion correctly corresponds to the candidate permutation printed on the ballot form.

• Checks are performed to catch faulty ballots:– Audits of randomly selected ballot forms are performed before,

during and after the election period, by the Electoral Commission etc.

– Voters could also perform similar checks on randomly selected “dummy” forms, e.g., randomly select a pair of forms, one to check (and discard), one to cast their vote.

– Variants of Prêt à Voter allow for creation of ballots in the booth; requires cut-and-choose style mechanisms to audit the booth device’s behaviour.



25

Recording and transmission

• To check that receipts are accurately recorded and input into the mix:– Voters can visit the WBB and check that their

receipt appears correctly recorded.– Voter Helper Organisations may perform

checks on the voter’s behalf.– These checks can be supplemented by

independent audit authorities checking the WBB against the Verified Encrypted Paper Audit Trail (VEPAT).



26

Auditing the mix tellers

• We perform random audits of the teller transformations: auditor randomly selects half the of the links to be revealed and checked, but in such a way as not to reveal any complete links through the mixes.

• Go down middle WBB column for each teller and randomly assign ► or ◄ to each pair.

• For a ►(◄), the tellers reveal the outgoing (incoming) link along with the associated secret transformation values.



27

Auditing the mix tellers

Teller 1 Teller 2



28

Assurance

• Suppose that we audit half of the ballots, (and assuming absence of collusion between auditors and The Authority and the tellers) the chance of n ballots being corrupted undetected falls off as:

(1/2)n

• Thus, the chance of the corruption of 10 ballots going undetected is roughly one in a thousand, of 20 it is one in a million.

• For secrecy we rely on defence in depth: (almost) all the tellers would have to be compromised to compromise secrecy.



29

Advantages

• Voter experience simple and familiar.

• No need for voters to have personal cryptographic keys or computing devices.

• Ballot form commitments and checks made before election opens neater recovery strategies.



30

Trust and Trustworthiness

• Analysis suggests that the scheme provided a high degree of assurance with minimal trust assumptions.

• Trust depends on perception and, presumably, to some degree on understanding.

• The arguments supporting the assertion of trustworthiness are subtle.

• How can we instil trust in the public at large?• Can we side-step the need for cryptography?



31

Recent trial of Prêt à Voter

• Prêt à Voter was trialed on the NCL campus recently: 105 people voted for three charities.

• Went quite smoothly, but clear that a significant number of voters did not understand the mechanisms, e.g.:– Retained the LH portion.– Tried to conceal the RH portion from the officials

when casting.

• Need better instructions and explanations.• Better training for poll workers.



44

Conclusions • Introduction of poorly thought out technology might in the UK might

undermine electoral confidence.• Voter-verifiable systems, like Prêt à Voter, can provide high-

assurance elections with the need to trust suppliers of software etc.• But the arguments for the assurance are subtle.• Instilling trust in such systems poses major challenges:

– To what extent will people understand the assurance arguments?– To what extent to voters need to understand the mechanisms, or are the

assurances of suitable experts etc enough?– How should such systems be presented

• Voting systems a dynamic (and socially important) area of research.• Recently proposed voter-verifiable schemes are mature enough to

be trialled.

Edinburgh 12 June 2008 P Y A Ryan Prêt à Voter 1 Trust and Security in Voting Systems Peter Y A...

Documents

Transcript of Edinburgh 12 June 2008 P Y A Ryan Prêt à Voter 1 Trust and Security in Voting Systems Peter Y A...