Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 1 Beyond Prêt...

Frontiers of Electronic Elections Milan, 16 September 2005

P Y A RyanPrêt à Voter

1

Beyond Prêt à Voter

Peter Y A Ryan



2

Credits

• With thanks to:– David Chaum– Michael Clarkson– James Heather– Michael Jackson– Thea Peacock– Brian Randell– Ron Rivest – Steve Schneider– and many others….



3

Outline

• Outline of Prêt à Voter “Classic”

• Prêt à Voter with re-encryption mixes

• Vulnerabilities and counter-measures

• Open questions and future work



4

The Requirements

• Key requirements/desiderata (informal and incomplete):– Integrity/accuracy.– Ballot secrecy. – Voter verifiability: the voter should be able to confirm that their

vote is accurately included in the count and prove to a 3rd party if it is not (whilst not revealing their vote).

– Minimal dependence on (trust in) system components.– Availability.– No early results.– Public confidence.– Usability – …….



5

Assumptions

• For the purposes of the talk I will make many sweeping assumptions, e.g.,:– An accurate electoral register is maintained.– Mechanisms are in place to ensure that voters can be

properly authenticated.– Mechanisms are in place to prevent double voting.– Existence of a secure Web Bulletin Board.– Etc.

• Note: Supervised rather than remote.



6

Voter-verifiability in a nutshell

• Voters are provided with an encrypted “receipt” and are able to verify the decryption in the booth.

• Copies of the receipts are posted to a web bulletin board. Voters can verify that their (encrypted) receipt is correctly posted.

• Tellers perform a robust anonymising mix on the batch of posted receipts, revealing the decrypted votes at the end.

• Checks are performed at each stage to catch any attempt to decouple the encryption on the receipt from the decryption performed by the tellers.



7

Prêt à Voter

• Uses pre-prepared ballot forms that encode the vote in familiar form (an against the chosen candidate).

• The candidate list is (independently) randomised for each ballot form.

• Information allowing the candidate list to be reconstructed is buried cryptographically in an “onion” on each form.

• An excess number of forms are generated to allow for random auditing, before, during and after the election.



8

Example (single candidate choice)

• Each ballot form has a unique, secret, random seed s

• For each form, a permutation of the candidate list is computed as a publicly known function of this seed.

• The seed information is buried cryptographically using public keys of a number of tellers in an “onion” printed on the form.

• The seed can only be extracted by the collective actions of tellers, or suitable subset if a threshold scheme is used.



9

Typical Ballot Sheet

Epicurus

Democritus

Aristotle

Socrates

Plato

$rJ9*mn4R&8



10

Voter marks their choice

Epicurus

Democritus Aristotle

Socrates

Plato

$rJ9*mn4R&8



11

Voter’s Ballot Receipt

$rJ9*mn4R&8



12

Voter casts her vote

• Once the voter has made their choice, the LH strip is detached and discarded.

• RH strip constitutes the receipt which is fed into a device that reads the information on the right hand strip.

• The device will transmit a digital copy of the receipt (the RH strip) to a central server, as a pair (r, Onion), for posting to the web bulletin board.

• The RH strip is returned to Anne (digitally signed and franked).

• Here r (Zv ) is the index value that encodes the position

of the .



13

Remarks • Note that the receipt reveals nothing about the vote.• The onion carries the crypto seed, encrypted with the teller’s public

keys, that (a subset of) the tellers use to reconstruct the permutation of the candidate list.

• Without all of these secret keys (or an appropriate subset) the candidate list cannot be reconstructed and hence the vote value cannot be recovered.

• Vote is not directly encrypted, rather the frame of reference, i.e., the candidate list, is randomised and information defining the frame is encrypted.

• A VVPAT style mechanism can be incorporated.• The voter choice must be made in isolation.• Casting an encrypted ballot can be done in the presence of an

official, i.e., does have to be in isolation.



14

Anonymisation and tabulation

• Once the election has closed and all receipts have been posted to the WBB, a set of tellers perform a robust anonymising mix on the receipts:– Receipts are decrypted by stages and undergo

multiple secret shuffles. Intermediate stages are also posted to the WBB for audit.

– Tellers transform the “r” index value. The final “r” values that emerge from the mix give the raw vote value in the canonical basis.

– Any link between the original receipts and the decrypted values will be lost.



15

Seeds and offsets

• Suppose that we have k tellers. Each teller has two public key pairs. For each ballot form 2k random germs are generated:

gi,ZN (some modest size N, e.g., 232)• The seed value is taken to be the sequence of these

germ g values:Seed:= g0,g1,g2,g3, ….....g2k-1

• These germs are now crypto hashed and taken modulo v:

di := hash(gi) (mod v) i= 0,1,2,……,2k-1• And the candidate list offset is given by the sum

modulo v of these: := i=0

2k-1 di (mod v)



16

Onion construction

• The germs are buried in the 2k layers of the onion:

• D0 is a random value, unique to each ballot form. Then:

Di+1 := {gi ,Di,}PKTi, , i= 0,…., 2k-1

Onion := D2k

• Thus:Onion := {g2k-1 ,{g2k-1 ,{…..,{g2,{g1,{g0,

D0 }PKT_0 }PKT_1 }PKT_2…..}PKT_2k-2 }PKT_2k-2 }PKT_2k-1



19

Teller 1

Teller 1'

Batch 1 Batch 2 Batch 3



20

What can go wrong…

• For the accuracy requirement:

– Ballot forms may be incorrectly constructed, leading to incorrect decryption of the vote

– Ballot receipts could be corrupted before they are entered in the tabulation process.

– Tellers may perform the decryption incorrectly.

• We now discuss the counter-measures to these threats.



21

Checking the ballot forms

• We need to check that the seed buried in the onion does correspond to the candidate permutation shown on the ballot form.

• Checks can be performed by auditors and the voters to catch such corruption:– Random audits of ballot forms performed before,

during and after the election period by the Electoral Reform Soc etc.

– Voters could also be invited to perform similar checks on randomly selected “dummy” forms. For example, voters could be invited to randomly select a pair of forms, one to check, one to cast their vote.



22

Auditing ballot forms

• To check the construction of the ballot forms the values on the form, onion and candidate ordering, can be reconstructed if the seed value is revealed.

• One of the innovations of Prêt à Voter is to use the tellers in an on-demand mode to reveal the secret seed value buried in the onion. Avoids problems with storing and selectively revealing seeds.

• Note, for this checking process, the tellers are used in an on-demand basis before and during the election-quite different to the batch mode for the anonymising mix after the election has closed.



23

Ballot form checking modes

• In fact, this oracle teller mode suggests several ways for voters to check the well-formedness of ballot forms:

1. Simple, single dummy vote2. Multiple or ranked dummy vote3. Given the onion value, the tellers return the candidate ordering

• Note: vulnerable to authority/tellers collusion attacks.• The auditor checks are the more rigorous: not

vulnerable to authority/teller collusions.



24

Recording and transmission

• To check that receipts are accurately recorded and input into the mix:

• Voters can visit the WBB and check that their receipt appears correctly recorded.

• Voter checks can be supplemented by independent audit authorities checking the WBB against the VVPAT style record of ballot receipts (also useful to recount and recovery).



25

Auditing the tellers

• Partial Random Checking of the teller transformations: auditor randomly selects half the of the links to be revealed and checked, but in such a way as not to reveal any links across the two transformations performed by the teller.

• Go down middle WBB column for each teller and randomly assign ► or ◄ to each pair.

• For a ►(◄), the tellers reveal the outgoing (incoming) link along with the associated re-encryption randomisation values.

• Note: because no complete paths across a given teller’s pair of mixes are revealed by the audit process, we can audit the tellers independently.



26

Auditing the tellers

Teller 1 Teller 1'



27

Advantages of Prêt à Voter• Voter experience simple and familiar.• Ballot form commitments and checks made

before election opens neater recovery strategies.

• The vote recording device doesn’t get to learn the vote.

• Votes are not directly encrypted, just the frame of reference.

• Highly flexible.• Adaptable to remote voting (see talk by Michael

Clarkson).



28

Enhancements

• Re-encryption mixes

• Distributed generation of ballot forms.

• Concealment of onion/candidate list associations.

• Separation of teller modes.



29

Re-encryption mixes• Prêt à Voter Classic uses Chaumian (decryption) mixes.• Alternatives:

– re-encryption mixes.– Homomorphism schemes etc..

• Advantages of re-encryption:– Tellers inject fresh entropy at each stage, hence onion size doesn’t grow

with number of tellers and germ size.– Less dependence on availability of tellers: a faulty mix teller can just be

binned and replaced.– Full mixing over the El Gamal group.– Clean separation of mixing and decryption stages.– Mixes and audits can be rerun afresh.

• Downsides:– Need shuffle commitments.– Tricky to mesh with Prêt à Voter.



30

Re-encryption mixes

• Prêt à Voter’s rather special representation of the vote in the receipts makes it tricky to mesh with re-encryption mixes. Some possible approaches:

1. Leave r terms unchanged through the mixes.2. Follow re-encryption mixes with Chaumian decryption mixes. 3. Absorb the r into the onion value 4. transform both r and D terms leaving vote value invariant – but

seems to necessitate malleable encryption.5. Add teller transforms to the index values, storing the entropy

in an extra (pre-generated and audited) “onion” value.6. Primitive for which only orbits of the local permutation group

can be generated (“slightly malleable”).7. Use zero-knowledge/crypto-homomorphism mixes-but looses

the conceptual simplicity of the PRC approach (and linear scaling behaviour).



31

Discussion

• Option 1: allows the adversary to partition the mix according the index value, but might be okay where the number of voters vastly exceeds the number of ballot options.

• Option 2: again the re-encryption mix can be partitioned. Might be a reasonable compromise.

• Options 3 and 4: seems to work nicely but appears to necessitate malleable encryption for the terms that move through the mix. Not clear whether this introduces vulnerabilities not countered by the mix audits.

• Option 5: speculative.• Option 6: promising, but seems to loose the conceptual

simplicity of the PRC approach, and perhaps the linear scaling properties.



32

El Gamal encryption

• El Gamal encryption:• let be a generator of cyclic group Zp

*, p a large prime. Choose k (2kp-2) and let = k (mod p).

• p, and made public, k kept secret. • (Randomised encryption) of m in {0, …, p-1}:

(x, x.m) =: (y1, y2)• Re-encryption:

(x+y, x+y.m)• Note: same as directly encrypting m with x+y.• Decryption:

m = y2 /y1k



33

Option 3

• Let d be the ballot seed. Encrypt -d in the El Gamal pair to form the onion.

(x, x. -d) =: (y1, y2)• Where d (mod ) can be taken as the offset.• A receipt pair can be transformed to:

(r, x, x. -d) (x, x. r-d) • This can be put through a conventional re-

encryption mix and the final decryption yields the vote value directly.

• Fine for cyclic shifts of the candidate list, needs elaboration for full permutations.



34

Prêt à Voter Vulnerabilities

• Chain voting.

• Authority knowledge of ballot form information.

• Destruction of LH strips.

• Separation of teller modes.



35

Chain Voting

• Effective against many conventional voting systems:1. Coercer smuggles a blank ballot form out of the

polling station and marks it with their preferred candidate.

2. They intercept a voter entering the polling station, hand them the marked up form and tell them that if they emerge from the station with a fresh, unmarked form they will be rewarded.

3. Return to step 1.



36

Counter-measures

• In a system like the UK system in which voters are given a ballot form when they register and are them observed to cast the form in the ballot box, this can be quite effective: if the voter emerges with a fresh, blank form it is a strong indication that they cast the coercer’s marked form.

• For a conventional system, a possible counter-measure is to use a system along the lines of the French system: ballot forms are not controlled, only their casting. Ballot forms are freely available at the polling station. Voters register at the moment that they cast their vote, in an envelope.



37

Chain voting and Prêt à Voter

• Particularly virulent with WBB systems. Conventional counter-measure fails.

• Countermeasures:– Note: – Voters don’t need sight of the onion value in order to make their

selection. – casting an encrypted ballot can be in the presence of a voting

official.• Hence:

– Conceal the onion under a scratch strip.– Official checks scratch strip is intact at time of casting.– Also need to check that form used to cast corresponds to the

forms given to the voter when they register.– Handling ballot forms in sealed envelopes also helps.



38

Authority knowledge• Entities that create and handle the ballot forms must be trusted to

keep onion/candidate lists secret.• Countermeasures:

– Create pairs on “entangled” onions. Conceal one under a scratch card or cryptographically and perform a pre-mix.

– Have a further entity translate the exposed onions into candidate lists.– Random audit the resulting forms.– Cast encrypted receipts in presence of an official and reveal the onion

value at this point.• Further possibilities:

– “Mirror”, robust pre-mix on entangled onions (run Plaintext Equivalence Tests (PET) the entangled onion pairs and PRC the mix)

– Just in time candidate lists. – Just in time onions.– Multiple entangled onions (independently reveal candidate lists for n-1)

• Plenty of possibilities, some adaptable to remote contexts.



39

Destruction of LH strips• Procedural: officials oversee destruction of LH strips.• Mechanical: device that automatically strips off the LH strip and

discards it.• Decoy strips: plentiful supply of alternative LH strips provided in the

booth.• Scratch strips: onion under the strip (in 2D bar code?) candidate list

overprinted: revealing the onion destroys the list.• Disc ballots!? Ballot “forms” take the form of a pair of discs sealed

together. After selection they are separated. Axial symmetry ensures that the original configuration is lost.

• Quantum!? Ballot “forms” using entangled q-bits. Measurement to reveal candidate lists collapses the wave functions.



40

Confusion of tellers modes

• Essential that any onion can be processed at most once.– Allow on-demand teller mode only during the pre-

election phase. Ensure that all audited ballot as destroyed.

– Procedural/Mechanical: any processed form is invalidated to prevent reuse.

– Cryptographic, e.g., authentication codes that are destroyed when the onion is used.

– Just in time candidate lists: revealed only at the time that the voter makes their selection.



41

Future work

• On the current model:– Determine exact requirements.– Formal analysis and proofs. – Construct threat and trust models.– Investigate error handling and recovery strategies.– Develop a full, socio-technical systems analysis.– Develop prototypes and run trials, e.g., e-voting

games!– Investigate public understanding and trust.



42

Future work

• Beyond the current scheme:– Alternative sources of seed entropy: Voters,

optical fibres in the paper,…?– Protocols for on-demand/distributed

generation and checking of ballot forms, e.g., authenticated onion establishment.

– (Threshold) schemes to thwart collusion attacks on checking modes.

– Alternative robust mixes.– Adaptation to remote voting (Cornell work).



43

References • David Chaum, Secret-Ballot receipts: True Voter-Verifiable Elections, IEEE Security and Privacy

Journal, 2(1): 38-47, Jan/Feb 2004.• J W Bryans & P Y A Ryan “A Dependability Analysis of the Chaum Voting Scheme”, Newcastle

Tech Report CS-TR-809, 2003.• J W Bryans & P Y A Ryan, “Security and Trust in a Voter-verifiable Election Scheme”, FAST

2003.• P Y A Ryan & J W Bryans “A Simplified Version of the Chaum Voting Scheme”, Newcastle TR

2004• P Y A Ryan, Towards a Dependability Case for the Chaum Voting Scheme, DIMACS June 2004.• P Y A Ryan, “E-voting”, presentation to the Caltech/MIT workshop on voting technology, MIT

Boston 1-2 October 2004.• P Y A Ryan, “A Variant of the Chaum Voter-verifiable Election scheme”, WITS, 10-11 January

2005 Long Beach Ca. • D Chaum, P Y A Ryan, S A Schneider, “A Practical, Voter-Verifiable Election Scheme”,

Newcastle TR 880 December 2004, Proceedings ESORICS 2005, LNCS 3679.• B Randell, P Y A Ryan, “Trust and Voting Technology”, NCL CS Tech Report 911, June 2005.• P Y A Ryan, T Peacock, “Prêt à Voter, A Systems Perspective”, NCL CS Tech Report 929,

September 2005.

Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 1 Beyond Prêt...

Documents

Transcript of Frontiers of Electronic Elections Milan, 16 September 2005 P Y A Ryan Prêt à Voter 1 Beyond Prêt...