Edinburgh 12 June 2008 P Y A Ryan Prêt à Voter 1 Trust and Security in Voting Systems Peter Y A...
-
date post
19-Dec-2015 -
Category
Documents
-
view
213 -
download
0
Transcript of Edinburgh 12 June 2008 P Y A Ryan Prêt à Voter 1 Trust and Security in Voting Systems Peter Y A...
Edinburgh12 June 2008
P Y A RyanPrêt à Voter
1
Trust and Security in Voting Systems
Peter Y A RyanNewcastle University
Edinburgh12 June 2008
P Y A RyanPrêt à Voter
2
Outline
• The problem.
• Voter-verifiability.
• Overview of “Prêt à Voter”.
• Voter-verifiability without cryptography:– Randell/Ryan Pretty Good Democracy.– Rivest’s Three-Ballot scheme.
• Conclusions.
Edinburgh12 June 2008
P Y A RyanPrêt à Voter
3
The Problem
• From the dawn of democracy it was recognised that people would try to corrupt the outcome of elections.
• Highly adversarial: system trying to cheat voters, voters trying to cheat the system, coercers trying to influence voters, voters trying to fool coercers etc.
• The Ancient Greeks used primitive gadgets to shift the trust from people (officials) to mechanical devices.
• In the US they have been using technological devices for voting for over a century: e.g., lever machines since 1887, punch cards, optical scans, touch screen etc. prompted by high instance of fraud with paper ballots!
• All have problems, see “Steal this Vote” Andrew Gumbel and “Brave New Ballot” by Avi Rubin.
Edinburgh12 June 2008
P Y A RyanPrêt à Voter
4
“The Computer Ate my Vote”
• In the 2004 US presidential election, ~30% of the electorate used DRE, touch screen devices.
• Aside from the “thank you for your vote for Kerry, have a nice day” what assurance does the voter have that their vote will be accurately counted?
• What do you do if the count is called into question?
• We need to trust the software completely.• Voter Verifiable Paper Audit Trails (VVPAT) (the
“Mercuri method”) has been proposed. But paper trails are not infallible either.
Edinburgh12 June 2008
P Y A RyanPrêt à Voter
5
The challenge
• Need high assurance that all votes are accurately recorded and counted-while maintaining ballot secrecy.
• The challenge is to reconcile these two conflicting requirements whilst minimising dependence on the components (booth devices, tellers, software, hardware, officials etc.) of the scheme.
• Above all, we seek to eliminate dependence on the software (Rivest’s “software independence”).
• Verify the election result not the voting system!• Needs to be usable and sufficiently understandable to be
widely trusted.
Edinburgh12 June 2008
P Y A RyanPrêt à Voter
6
Secure distributed computation
• Voting, with ballot privacy, can be viewed as a special case of secure distributed computation:
• Several parties input secret data and want to compute a function of these inputs without revealing the inputs.
• Voting however has a number of special features, in particular it has to be very usable and public confidence in the outcome has to be very high, with minimal dependence. In particular, we try to avoid assuming that voters have trusted devices.
Edinburgh12 June 2008
P Y A RyanPrêt à Voter
7
Remote vs Supervised
• Supervised voting: voter casts their vote in enforced isolation, e.g., in a booth in a polling station.
• Remote voting, e.g., internet, postal, telephone etc.
• In the remote context, isolation cannot be enforced, hence greater dangers of coercion.
• The bulk of the talk will be about supervised.
Edinburgh12 June 2008
P Y A RyanPrêt à Voter
10
Election Requirements
• Elections should be “free and fair”.• Key requirements:
– Integrity/accuracy: • Each voter should be able to cast one vote.• the count must demonstrably accurately reflect the votes cast.
– Ballot secrecy: the way a voter cast their vote should only be known to the voter.
• Novel requirement:– Voter verifiability: the voter should be able to confirm that their
vote is accurately included in the count (without violating ballot secrecy).
• Ease of use, public understanding and trust, cost effective, scalable etc. etc…..
Edinburgh12 June 2008
P Y A RyanPrêt à Voter
11
Assumptions
• For the purposes of the talk I will make many sweeping assumptions, notably:– An accurate electoral register is maintained.– Voters are properly authenticated.– Mechanisms are in place to prevent double voting.– Existence of a secure Web Bulletin Board.– Cryptographic algorithms are sufficiently secure.– And many more…..
Edinburgh12 June 2008
P Y A RyanPrêt à Voter
12
Voter-verifiability in a nutshell
• At the time of casting, voters get a “protected receipt”.• Copies of the receipts are posted to a secure web
bulletin board. Voters can verify that their receipt is correctly posted.
• A verifiable tabulation is performed on the posted receipts.
• Checks are performed at each stage to detect any errors or corruption.
• Seek maximal transparency of the vote capture and counting.
• Typically achieved using crypto, but not always…..
Edinburgh12 June 2008
P Y A RyanPrêt à Voter
13
Voting with commuting diagrams
E D = E-1
Mix
Ideal functionality
Receipts
Votes*Votei
Receipts*
Edinburgh12 June 2008
P Y A RyanPrêt à Voter
14
Prêt à Voter
• Uses familiar, paper ballot forms with a list of candidates down the left hand side.
• Voters mark a against the candidate of choice, or perhaps rankings etc.
• The candidate list is randomised for each ballot form.
• Information defining the candidate list is buried cryptographically in a value printed on each ballot form.
Edinburgh12 June 2008
P Y A RyanPrêt à Voter
15
Typical Ballot Sheet
Obelix
Asterix
Idefix
Panormix
Geriatrix
$rJ9*mn4R&8
Edinburgh12 June 2008
P Y A RyanPrêt à Voter
16
Voter marks their choice
Obelix
Asterix Idefix
Panoramix
Geriatrix
$rJ9*mn4R&8
Edinburgh12 June 2008
P Y A RyanPrêt à Voter
18
The voting “ceremony”
• Scenario:– Voter enters the polling station and takes a ballot form at
random, sealed in an envelope.– Goes to a booth, extracts the ballot form and marks her choice.– She separates the left-hand and right-hand portions.– Discards the left hand portion that carries the candidate order.– Leaves the booth with the right hand portion, that constitutes the
receipt, and registers with an official.– A digital copy of the receipt is made and posted to the WBB. The
receipt is digitally signed and franked and returned to the voter.– She walks away contended clutching her receipt.
Edinburgh12 June 2008
P Y A RyanPrêt à Voter
19
After the voting phase
– Once the election is closed, digital copies of the receipts are posted to the Web Bulletin Board (WBB).
– The voters can visit the WBB and confirm that their ballot appears correctly.
– Additionally, checks could be performed by independent entities between the (encrypted) paper audit trail and posted receipts.
– Ballots are repeatedly transformed and shuffled, then decrypted.
– All intermediate stages posted to the WBB and subjected to random audits.
– The count is performed in full view.
Edinburgh12 June 2008
P Y A RyanPrêt à Voter
20
Remarks
• The receipt reveals nothing about the vote
• Vote casting (of encrypted receipts) can be in the presence of officials and observers (à la Française).
• An encrypted paper audit trail can be incorporated.
• Works for ranked, STV etc.
Edinburgh12 June 2008
P Y A RyanPrêt à Voter
21
Anonymisation and tabulation
• Once the election has closed all the receipts are posted to the WBB, a set of tellers perform a cascade of robust anonymising mixes on the receipts:– Receipts are repeatedly transformed and shuffled. – After shuffling, the ballots are decrypted.– Final column shows the shuffled, decrypted votes.– All the intermediate stages are posted to the WBB for
subsequent audit.– Any link between the original receipts and the
decrypted values is lost in the multiple shuffles.
Edinburgh12 June 2008
P Y A RyanPrêt à Voter
23
But stuff happens…
• Fine as long as we are happy to trust “The Authority”, the tellers etc.
• But we want to avoid having to trust anyone or anything.• For the accuracy requirement:
– Ballot forms may be incorrectly constructed, leading to incorrect encoding of the vote.
– Ballot receipts could be corrupted before they are entered in the tabulation process.
– Tellers may perform the shuffles and decryption incorrectly.
• We now outline the error/corruption detection mechanisms.
Edinburgh12 June 2008
P Y A RyanPrêt à Voter
24
Checking the ballot forms
• It is essential for the correct encoding of the vote that the information buried in the onion correctly corresponds to the candidate permutation printed on the ballot form.
• Checks are performed to catch faulty ballots:– Audits of randomly selected ballot forms are performed before,
during and after the election period, by the Electoral Commission etc.
– Voters could also perform similar checks on randomly selected “dummy” forms, e.g., randomly select a pair of forms, one to check (and discard), one to cast their vote.
– Variants of Prêt à Voter allow for creation of ballots in the booth; requires cut-and-choose style mechanisms to audit the booth device’s behaviour.
Edinburgh12 June 2008
P Y A RyanPrêt à Voter
25
Recording and transmission
• To check that receipts are accurately recorded and input into the mix:– Voters can visit the WBB and check that their
receipt appears correctly recorded.– Voter Helper Organisations may perform
checks on the voter’s behalf.– These checks can be supplemented by
independent audit authorities checking the WBB against the Verified Encrypted Paper Audit Trail (VEPAT).
Edinburgh12 June 2008
P Y A RyanPrêt à Voter
26
Auditing the mix tellers
• We perform random audits of the teller transformations: auditor randomly selects half the of the links to be revealed and checked, but in such a way as not to reveal any complete links through the mixes.
• Go down middle WBB column for each teller and randomly assign ► or ◄ to each pair.
• For a ►(◄), the tellers reveal the outgoing (incoming) link along with the associated secret transformation values.
Edinburgh12 June 2008
P Y A RyanPrêt à Voter
28
Assurance
• Suppose that we audit half of the ballots, (and assuming absence of collusion between auditors and The Authority and the tellers) the chance of n ballots being corrupted undetected falls off as:
(1/2)n
• Thus, the chance of the corruption of 10 ballots going undetected is roughly one in a thousand, of 20 it is one in a million.
• For secrecy we rely on defence in depth: (almost) all the tellers would have to be compromised to compromise secrecy.
Edinburgh12 June 2008
P Y A RyanPrêt à Voter
29
Advantages
• Voter experience simple and familiar.
• No need for voters to have personal cryptographic keys or computing devices.
• Ballot form commitments and checks made before election opens neater recovery strategies.
Edinburgh12 June 2008
P Y A RyanPrêt à Voter
30
Trust and Trustworthiness
• Analysis suggests that the scheme provided a high degree of assurance with minimal trust assumptions.
• Trust depends on perception and, presumably, to some degree on understanding.
• The arguments supporting the assertion of trustworthiness are subtle.
• How can we instil trust in the public at large?• Can we side-step the need for cryptography?
Edinburgh12 June 2008
P Y A RyanPrêt à Voter
31
Recent trial of Prêt à Voter
• Prêt à Voter was trialed on the NCL campus recently: 105 people voted for three charities.
• Went quite smoothly, but clear that a significant number of voters did not understand the mechanisms, e.g.:– Retained the LH portion.– Tried to conceal the RH portion from the officials
when casting.
• Need better instructions and explanations.• Better training for poll workers.
Edinburgh12 June 2008
P Y A RyanPrêt à Voter
44
Conclusions • Introduction of poorly thought out technology might in the UK might
undermine electoral confidence.• Voter-verifiable systems, like Prêt à Voter, can provide high-
assurance elections with the need to trust suppliers of software etc.• But the arguments for the assurance are subtle.• Instilling trust in such systems poses major challenges:
– To what extent will people understand the assurance arguments?– To what extent to voters need to understand the mechanisms, or are the
assurances of suitable experts etc enough?– How should such systems be presented
• Voting systems a dynamic (and socially important) area of research.• Recently proposed voter-verifiable schemes are mature enough to
be trialled.