Helios - Real-World Open-Audit Voting
79
Helios real-world open-audit voting Ben Adida Harvard University Workshop on Electronic Voting Tel Aviv University 18 May 2009
-
Upload
ben-adida -
Category
Technology
-
view
3.844 -
download
0
description
Helios and the recent UCL election presented at the electronic voting workshop in Israel, Tel Aviv University, May 2009.
Transcript of Helios - Real-World Open-Audit Voting
Heliosreal-world
open-audit votingBen Adida
Harvard University
Workshop on Electronic VotingTel Aviv University
18 May 2009
http://www.cs.uiowa.edu/~jones/voting/pictures/ 2
Who countsthe votes?
http://www.cs.uiowa.edu/~jones/voting/pictures/ 4
Democratizingthe Tallying Process
+ secrecy
Bulletin Board
Public Ballots
Bob:McCain
Carol:Obama
6
Bulletin Board
Public Ballots
Bob:McCain
Carol:Obama
Alice
6
Bulletin Board
Public Ballots
Alice:Obama
Bob:McCain
Carol:Obama
Alice
6
Bulletin Board
Public Ballots
Alice:Obama
Bob:McCain
Carol:Obama
Tally
Obama....2McCain....1
Alice
6
Encrypted Public BallotsBulletin Board
Alice:Rice
Bob:Clinton
Carol:Rice
Tally
Obama....2McCain....1
Alice
7
Encrypted Public BallotsBulletin Board
Alice:Rice
Bob:Clinton
Carol:Rice
Tally
Obama....2McCain....1
Alice
Alice verifies her vote
7
Encrypted Public BallotsBulletin Board
Alice:Rice
Bob:Clinton
Carol:Rice
Tally
Obama....2McCain....1
Alice
Alice verifies her vote Everyone verifies the tally
7
How can we verify operations on
encrypted data?
Mathematical Proofs.
8
Zero-Knowledge Proof
Vote For:
Obama
President:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MouseVote For: Obama
9
Zero-Knowledge Proof
Vote For:
Obama
President:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MouseVote For: Obama
9
Zero-Knowledge Proof
This last envelope likely contains “Obama”
Vote For:
Obama
President:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MouseVote For: Obama
9
Zero-Knowledge Proof
Open envelopes don’t proveanything after the fact.
President:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MouseVote For: Obama
President:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MouseVote For:
Paul
10
McCain
“And there are cryptographic techniques that can be used to
achieve software independence so that even if there's a bug in the
software, you'll detect if there's a problem. But those are not ready for
prime time in my opinion.”
Avi Rubin, 7/9/2008
“But with cryptography, you’re just moving the black box. Few people really
understand it or trust it.”
Debra BowenCalifornia Sec. of State, 7/30/2008
(paraphrased)
Where to Start?
Most Open-Audit schemes
Complex voting process
In-person voting
Few can experience it
Helios
Simplify
Low-coercion elections
Web-based: all can experience
“Low-Coercion?”
- A more appropriate term might be“stratified coercion”
- If the voting public is a subset of the population, there may be inherent limits to coercion.
- e.g. university voting
- e.g. EFCA in the US
Technical Concepts
Technical Concepts
- Probabilistic Encryption & Threshold Decryption.posting ciphertexts safely on a bulletin board
Technical Concepts
- Probabilistic Encryption & Threshold Decryption.posting ciphertexts safely on a bulletin board
- Homomorphic Tallying.no write-ins, proofs of correct plaintext
Technical Concepts
- Probabilistic Encryption & Threshold Decryption.posting ciphertexts safely on a bulletin board
- Homomorphic Tallying.no write-ins, proofs of correct plaintext
- Benaloh Challenge.cast or audit, authenticate only upon cast
Technical Concepts
- Probabilistic Encryption & Threshold Decryption.posting ciphertexts safely on a bulletin board
- Homomorphic Tallying.no write-ins, proofs of correct plaintext
- Benaloh Challenge.cast or audit, authenticate only upon cast
- In-Browser Encryption.plaintext only in user’s browser
Probabilistic Encryption & Threshold Decryption
Public-Key Encryption
Public-Key Encryption
Keypair consists of a public key and a secret key .skpk
Public-Key Encryption
Keypair consists of a public key and a secret key .skpk
"Obama" 8b5637Encpk
Public-Key Encryption
Keypair consists of a public key and a secret key .skpk
"Obama" 8b5637Encpk
c5de34Encpk"McCain"
Public-Key Encryption
Keypair consists of a public key and a secret key .skpk
"Obama" 8b5637Encpk
c5de34Encpk"McCain"
a4b395Encpk"Obama"
Threshold Decryption
8b5637
Secret key is shared amongst multiple parties:all (or at least a quorum) need to cooperate to decrypt.
Threshold Decryption
8b5637
b739cbDecsk1
Secret key is shared amongst multiple parties:all (or at least a quorum) need to cooperate to decrypt.
Threshold Decryption
8b5637
b739cbDecsk1
261ad7Decsk2
Secret key is shared amongst multiple parties:all (or at least a quorum) need to cooperate to decrypt.
Threshold Decryption
8b5637
b739cbDecsk1
261ad7Decsk2
7231bcDecsk3
Secret key is shared amongst multiple parties:all (or at least a quorum) need to cooperate to decrypt.
Threshold Decryption
8b5637
b739cbDecsk1
261ad7Decsk2
7231bcDecsk3
8239baDecsk4
Secret key is shared amongst multiple parties:all (or at least a quorum) need to cooperate to decrypt.
Threshold Decryption
8b5637
b739cbDecsk1
261ad7Decsk2
7231bcDecsk3
8239baDecsk4
Secret key is shared amongst multiple parties:all (or at least a quorum) need to cooperate to decrypt.
"Obama"
Homomorphic Tallying
Homomorphic Property
22
First: r’th residuosity [Benaloh85]Also: Paillier Cryptosystem [P99]
Homomorphic Property
22
First: r’th residuosity [Benaloh85]Also: Paillier Cryptosystem [P99]
Enc(m1)! Enc(m2) = Enc(m1 + m2)
Homomorphic Property
22
First: r’th residuosity [Benaloh85]Also: Paillier Cryptosystem [P99]
Enc(m1)! Enc(m2) = Enc(m1 + m2)
Homomorphic Property
22
then we can simplyadd votes “under cover” of encryption!
First: r’th residuosity [Benaloh85]Also: Paillier Cryptosystem [P99]
Enc(m1)! Enc(m2) = Enc(m1 + m2)
Vote for Adam
Vote for Bob
Vote for Charlie0000 0001 00000000
0001 0000 00000000
0000 0000 00000001
Vote for David0000 0000 00010000
0004 0001 0008 0002 Sample Tally
[B+2001, P1999]
Homomorphic TallyVote for None
Vote for Obama
Vote for McCain
0003 0006 0005
23
BenalohCasting Protocol
http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
Alice
http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
Alice
http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
"Obama"
Alice
EncryptedBallot
http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
"Obama"
Alice
EncryptedBallot
Alice
http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
"Obama"
"AUDIT"
Alice
EncryptedBallot
Alice
http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
"Obama"
"AUDIT"
Alice
EncryptedBallot
Alice
DecryptedBallot
http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
"Obama"
"AUDIT"
Alice
EncryptedBallot
Alice
DecryptedBallot
http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
DecryptedBallot
EncryptedBallot
VERIFICATION
"Obama"
"AUDIT"
Alice
EncryptedBallot
Alice
DecryptedBallot
http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
DecryptedBallot
EncryptedBallot
VERIFICATION
"Obama"
"AUDIT"
Alice
EncryptedBallot
Alice
DecryptedBallot
http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
DecryptedBallot
EncryptedBallot
VERIFICATION
"Obama"
"AUDIT"
Alice
EncryptedBallot
Alice
DecryptedBallot
Alice
http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
DecryptedBallot
EncryptedBallot
VERIFICATION
"Obama"
"AUDIT"
Alice
EncryptedBallot
Alice
DecryptedBallot
Alice
"CAST"
http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
DecryptedBallot
EncryptedBallot
VERIFICATION
"Obama"
"AUDIT"
Alice
EncryptedBallot
Alice
DecryptedBallot
Alice
"CAST"
SignedEncryptedBallot
http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
DecryptedBallot
EncryptedBallot
VERIFICATION
"Obama"
"AUDIT"
Alice
EncryptedBallot
Alice
DecryptedBallot
Alice
"CAST"
SignedEncryptedBallot
Alice
http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
DecryptedBallot
EncryptedBallot
VERIFICATION
"Obama"
"AUDIT"
Alice
EncryptedBallot
Alice
DecryptedBallot
Alice
"CAST"
SignedEncryptedBallot
Alice
http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
SignedEncryptedBallot
DecryptedBallot
EncryptedBallot
VERIFICATION
"Obama"
Helios System Details
Helios System Details
- Python & JavaScript logic & crypto
Helios System Details
- Python & JavaScript logic & crypto
- Free/Open-Source stack
Helios System Details
- Python & JavaScript logic & crypto
- Free/Open-Source stack
- Deployed on Google App Engine
Helios System Details
- Python & JavaScript logic & crypto
- Free/Open-Source stack
- Deployed on Google App Engine
- Deployed on Apache/Python/PostgreSQL
Helios System Details
- Python & JavaScript logic & crypto
- Free/Open-Source stack
- Deployed on Google App Engine
- Deployed on Apache/Python/PostgreSQL
- Customizableauthentication, look-and-feel, translations
So, does it work?
- Université catholique de Louvain
- 25,000 eligible voters
- University president election
- Helios 2.0, optimized
- customized for UCL (French, improved UI)
28
29
30
31
0 2 4 6 8 10 12 14 16 18 20 22
Time [h]
0
100
200
300
400
500
Num
ber
of vote
s p
er
hour
DAY 1
1st round
2nd round
0 2 4 6 8 10 12 14 16 18 20 22
Time [h]
0
100
200
300
400
500
Num
ber
of
vote
s p
er
hour
DAY 2
1st round
2nd round
0 2 4 6 8 10 12 14 16 18 20 22
Time [h]
0
500
1000
1500
2000
2500
3000
3500
4000
Tota
l num
ber
of
vote
s
DAY 1 1st round
2nd round
0 2 4 6 8 10 12 14 16 18 20 22
Time [h]
0
500
1000
1500
2000
2500
3000
3500
4000
Tota
l num
ber
of
vote
s
DAY 2 1st round
2nd round
32
32
32
Most Interesting Lesson: spurious claims
are easily countered
brief demo
![Appendices Appendix 1: Curriculum Vitae › files › ... · [Adi08] B. Adida. Helios: Web-based open-audit voting. In P. C. van Oorschot, editor, USENIX Security Sympo- sium, pages](https://static.fdocuments.us/doc/165x107/5f1bf52237243902cf090c56/appendices-appendix-1-curriculum-vitae-a-files-a-adi08-b-adida-helios.jpg)
