Truly Verifiable Elections

Truly Verifiable Voting

Ben AdidaHarvard University

MSR Voting Technology Workshop19 March 2010

“If you think cryptographyis the solution

to your problem....

... then youdon’t understandcryptography...

... and you don’t understand your

problem.”

Yet, cryptography solves problems that initially

appear to be impossible.

There is apotential paradigm shift.

A means ofelection verificationfar more powerful

than other methods.5

“But with cryptography, you’re just moving the black box. Few people really

understand it or trust it.”

Debra BowenCalifornia Sec. of State, 7/30/2008

(paraphrased)

DREcode

ElectionResults

election

Three Points

1. Voting is a unique trust problem.

2. Cryptography is not just about secrets,it enables collaboration w/o blind trust,it democratizes auditing processes.

3. Truly Verifiable Voting is closing in on practicality.

1.Voting is a unique

trust problem.

“Swing Vote”

terrible movie.hilarious ending.

Wooten got the news from his wife, Roxanne, who went to City Hall on Wednesday

to see the election results.

"She saw my name with zero votes by it.She came home and asked me ifI had voted for myself or not."

Bad Analogies

Not just thatATMs and planes are vulnerable(they are, but that’s not the point)

It’s that voting is much harder.

Bad AnalogiesAdversaries➡ pilots vs. passengers (airline is on your side, I think.)➡ banking privacy is only voluntary:

you are not the enemy.

Failure Detection & Recover➡ plane crashes & statements vs. 2% election fraud➡ Full banking receipts vs. destroying election evidence

Imagine➡ a bank where you never get a receipt.➡ an airline where the pilot is working against you.

Ballot secrecyconflicts with auditing,

cryptographycan reconcile them.

http://www.cs.uiowa.edu/~jones/voting/pictures/ 17

VotingMachine

Vendor

* source

* code

if (...

Polling Location

Ballot Box Collection

Results

.....6

Black Box

Chain of Custody

2.Cryptography is notjust about secrets,

it enables collaboration w/o blind trust.

Initially,cryptographers

re-createdphysical processesin the digital arena.

Then, a realization: cryptography enables a new voting paradigm

Secrecy + Auditability.

Bulletin Board

Public Ballots

Alice:Obama

Bob:McCain

Carol:Obama

Obama....2McCain...1

Encrypted Public BallotsBulletin Board

Alice:Rice

Bob:Clinton

Carol:Rice

Obama....2McCain...1

Alice verifies her vote Everyone verifies the tally

End-to-End Verification

Polling Location

VotingMachine

Vendor

* source

* code

if (...

Receipt

Ballot Box /

Bulletin Board

Results

Democratizing Audits

Each voter is responsible for checkingtheir receipt (no one else can.)

Anyone, a voter or a public org,can audit the tally andverify the list of cast ballots.

Thus, “open-audit” ortruly-verifiable voting

Increased transparencywhen some data

must remain secret.28

So, yes, we encrypt,and then we work with the encrypted data in public, so

everyone can see.

In particular, because the vote is encrypted, it can remain labeled with voter’s name.

“Randomized” EncryptionKeypair consists of a public key and a secret key .skpk

"Obama" 8b5637Encpk

c5de34Encpk"McCain"

a4b395Encpk"Obama"

Threshold Decryption

8b5637

b739cbDecsk1

261ad7Decsk2

7231bcDecsk3

8239baDecsk4

Secret key is shared amongst multiple parties:all (or at least a quorum) need to cooperate to decrypt.

"Obama"

Homomorphic Encryption

then we can simplyadd “under cover” of encryption!

Enc(m1)× Enc(m2) = Enc(m1 + m2)

gm1 × gm2 = gm1+m2

Mixnets

Each mix server “unwraps”a layer of this encryption onion.

c = Encpk1 (Encpk2 (Encpk3 (m)))

Proving certain details while keeping others secret.

Proving a ciphertext encodes a given message

without revealingits random factor.

Zero-Knowledge Proof

This last envelope likely contains “Obama”

Vote For:

President:

Mickey MousePresident:

Mickey MouseVote For: Obama

Zero-Knowledge Proof

Open envelopes don’t proveanything after the fact.

President:

Mickey MouseVote For: Obama

President:

Mickey MouseVote For:

McCain

A little bit more math

y = gx mod p

S = gr mod p

t = xc + rgt ?= Syc

does this prove anything?

y = gx mod p

S = gr mod p

t = xc + r

what’s so special about it?

y = gx mod p

S = gr mod p

t = xc + r

gt ?= Syc

Electronic Experience

Voter interacts with a voting machine

Obtains a freshly printed receiptthat displays the encrypted ballot

Takes the receipt home and uses itas a tracking number.

Receipts posted for public tally.

Voting Machine

Encrypted Vote

Paper Experience

paper ballots with indirectionbetween candidate and choice

break the indirection (tear, detach)for effective encryption

take receipt home and use itas tracking number.

receipts posted for public tally.q r m x

Adam - x

Bob - q

Charlie - r

David - m

q r m x

Adam - x

Bob - q

Charlie - r

David - m

q r m x

Charlie

_______

Charlie

_______

3.Cryptography-based Voting

(Truly Verifiable Voting) is closing in on practicality.

Benaloh Casting

"AUDIT"

EncryptedBallot

DecryptedBallot

"CAST"

SignedEncryptedBallot

DecryptedBallot

EncryptedBallot

VERIFICATION

"Obama"

Many more great ideasNeff ’s MarkPledge➡ high-assurance, human-verifiable, proofs of correct encryption

Prêt-à-Voter by Ryan et al.➡ elegant, simple, paper-based

STV: Ramchen, Teague, Benaloh & Moran.➡ handling complex election styles

Scantegrity I & II➡ closely mirrors opscan voting

Deployments!

Scantegrity II @ Takoma Parkreal municipal elections

Université catholique de Louvain25,000 voters

Scratch, Click & Vote

Three Points

1. Voting is a unique trust problem.

2. Cryptography is not just about secrets,it enables collaboration w/o blind trust,it democratizes the auditing process.

3. Truly Verifiable Voting is closing in on practicality.

My Fear :

computerization of voting is inevitable.

without true verifiability,the situation is grim.

My Hope:public auditing proofs

will soon be as common aspublic-key crypto is now.

Challenges

Ed Felten: “you have no voter privacy, deal with it.”

Questions?

Truly Verifiable Elections

Technology

Transcript of Truly Verifiable Elections

Verifiable Mixnets

Verifiable Resource Accounting for Cloud Computing Services

Verifiable control of ballistic missile proliferation

Verifiable Cost Working Group (VCWG) Update

HackDemocracy Brussels 3 - Verifiable online elections: the future of voting?

Short PCPs verifiable in Polylogarithmic Time

The Round Complexity of Verifiable Secret Sharing Re-Visited€¦ · The Round Complexity of Verifiable Secret Sharing Re-Visited CRYPTO 2009 ... The round complexity of verifiable

Helios: web-based truly verifiable voting

Building Verifiable Software Prototypes Using Coloured Petri NetsQualifying Exam 1/39 June 17, 2005 Building Verifiable Software Prototypes Using Coloured.

An Inductive Synthesis Framework for Verifiable ...

Secret Ballot Receipts: True Voter Verifiable Elections Author: David Chaum Published: IEEE Security & Privacy Presenter: Adam Anthony.

08 Measurable Reportable and Verifiable

Implementing the Verifiable Claims data model

ZEUS Election Administrator Manual€¦ · ZEUS Election Administrator Manual December 21st, 2016 Introduction Zeus is a web-based e-voting platform for conducting verifiable elections

Verifiable Photomontage Representative

Idealized BGPsec: Formally Verifiable BGP

IGNACIO FLORES-FIGUEROA, UNITED STATES OF …epic.org/privacy/flores-figueroa/122208_brief.pdf · Mendoza-Gonzalez, 520 F.3d 912 ... Voter-Verifiable Elections, Presented at ITL ...

Proof Sketches: Verifiable In-Network Aggregation

Verifiable Costs Workshop - Electric Reliability Council ...€¦ · Incremental O&M How Verifiable Costs are Used 9 QSE ... Based on Resource’s Verifiable Incremental Heat Rate

Zeus Voter Manual · 2018-10-26 · - 1 of 13 - Zeus Voter Manual December 21st, 2016 Introduction Zeus is a web-based e-voting platform for conducting verifiable elections in which