Auditability and Verifiability of Elecons Ronald L....
42
Auditability and Verifiability of Elec4ons Ronald L. Rivest MIT UC Davis December 1, 2016
Transcript of Auditability and Verifiability of Elecons Ronald L....
AuditabilityandVerifiabilityofElec4ons
RonaldL.RivestMIT
UCDavisDecember1,2016
Havewemadeprogresssince2000?
Hanging chads (2000) >>> Voting Machines at Risk (2015)
Nov.2016–WhoReallyWon?
HillaryorDonald?
Evidence-BasedElec4ons Anelec4onshouldnotonlyfindoutwhowon,butshouldalsoprovideconvincingevidencethatthewinnerreallywon. (Stark&Wagner2012)NO:“TrustmeandmysoEware”YES:“Mistakeswillbemade.Findandfixthem.”YES:“Trustbutverify.”
Outline
• SecurityRequirements• SoTwareIndependence• Audi4ngofPaperBallots• CryptographicVo4ngSchemes(E2E)• Remote(Internet?)Vo4ng???
SecurityRequirements
SecurityRequirements
• Onlyeligiblevotersmayvote,andeacheligiblevotervotesatmostonce.
• Eachcastvoteissecret,evenifvoterwishesotherwise!--Novote-selling!--Noreceiptshowinghowyouvoted!
• Finaloutcomeisverifiablycorrect.• No``trustedpar4es’’–allaresuspect!Vendors,voters,elec4onofficials,candidates,spouses,otherna4on-states,…
SoTwareIndependence
(Rivest&Wack,2006)
AndWhoDoYouHopeYouVotedFor?
SoTwareIndependence
• SoTwareisnottobetrusted!• Avo4ngsystemissoEwareindependentifanundetectederrorintheso4warecannotcauseanundetectablechangeintheelec7onoutcome.
• StronglysoEware-independentifitispossibletocorrectanysuchoutcomeerror
• Example:Paperballots(withhandrecount)
PaperBallots
1893–“Australian”PaperBallot
Whatisusednow?
(VerifiedVo4ng)DRE=DirectRecordingbyElectronicsVVPAT=VoterVerifiedPaperAuditTrail
Elec4onProcess(paperballots)
• Printballots;setup• Vote• Ini4alcount(byscanners);ini4al(“reported”)outcome
• Sta4s4calaudit(byhand)ofpaperballotstoconfirm/disprovereportedoutcome
Audi4ngofPaperBallots
Twoaudi4ngparadigms • Ballot-pollingaudits:Allyouhavearethecastpaperballots.(Like``exitpoll’’ofballots…)
• Comparisonaudits:Usesbothpaperandelectronicrecords(“castvoterecords’’–CVRs)PaperballotgivenanIDwhenscanned;CVRhassameID.AuditcomparespaperballottoitsCVR.
Generalauditstructure
1. Drawanini4alrandomsampleofballots.2. Interpretthembyhand.3. Stopifreportedoutcomeisnowconfirmed
todesiredconfidencelevel.4. Ifallballotshavenowbeenexamined,you
havedoneafullrecount,andaredone.Otherwiseincreasesamplesize;returnto2.
CastVotes
Sample
Bravoaudit[LSY12]
• Ballot-pollingaudit• Risk-limi(ngaudit:providesguaranteethatchanceofaccepQngincorrectoutcomeisatmostgivenrisklimit(e.g.α=0.05).
• Usesreportedmargin-of-victoryasinput(e.g.accumulateproductofA/2orB/2whereA,Barereportedfrac4onsofvotesforAlice,Bob.
• Canneedlesslydoafullrecountifreportedmargin-of-victoryiswrong…
DiffSumaudit[R15]
• Nodependenceonreportedmargin-of-victory.• Fortwo-candidaterace,stopswhen(a–b)2>(a+b)�log10(n)wherea,b=numberofvotesforAlice,Bobn=totalnumberofvotescast
• Risklimit α determinedempirically;forthcomingworkgiveswaytomakethisapproachworkwithrigorousbounds.
Othersocialchoicefunc4ons
Socialchoicefunc4ons
• Notallelec4onsareplurality• Someelec4onsareranked-choice:ballotgivesvoter’spreferences:A>C>D>B
• Aspecified``socialchoicefunc4on’’mapscollec4onsofballotstooutcomes.
• Example:IRV(InstantRunoffVo4ng)–Keepelimina4ngcandidatewithfewestfirst-choicevotesun4lsomecandidatehasamajorityoffirst-choicevotes.(SanFranciscousesIRV.)
Black-boxaudits
• “Black-boxaudits”onlyneedto– drawrandomsamples– derivevariantsamplesofarandomsample– applythesocialchoicefunc4onina“black-box”mannertosomesamples,todeterminethewinnersofthosesamples.
• Black-boxauditsthusapplytoanyvoQngsystem(anysocialchoicefuncQon)!
• Threeexamples:Bayesian,Bootstrap,andT-pileaudits.
Bayesianaudit[RS12]• ``Inverse’’ofsamplingisPolya’sUrn:
• Placesampleinurn.Drawoneballotoutatrandom,puttwocopiesback.Rinseandrepeat.
• ThissamplesBayesianposteriordistribu4onforcollec4onofcastvotes.
• Canthusmeasure“Probabilitythatreportedoutcomeiscorrect”givensample.Stopif>1–α.
CastVotes
Sample
Drawsample Polya’sUrn
Bootstrapaudit[RS15]
• CreatefromgivensampleT(e.g.100)“variantsamples”(e.g.bysubsamplingwithreplacement)
• Stopauditifsampleandallvariantshavesameoutcomeasreportedoutcome.
CastVotes
Sample
Drawsample
VariantSample
VariantSample
VariantSample
T-pileaudit• “Deal”sampleinround-
robinmannerintoT(e.g.T=7)disjointpiles.
• Stopauditifsampleandallpileshavesameoutcomeasreportedoutcome.
• Provablyrisk-limi4ngunderreasonableassump4onthatmostlikelysampleoutcomeiscorrectone.
• Butnotasefficientasgeneralbootstrapaudit…
CastVotes
Sample
Drawsample
Pile1 Pile2 PileT
ComparisonAudits
• Moreefficient(1/margin-of-victory)sinceyouarees4ma4ngerrorrateinCVRs(near0)ratherthanvotesharesofcandidates(near½)
• Typicalauditmayonlyneedtoauditafewdozensofballots
• Bayesianauditcandocomparisonaudits• Othermethods:SOBA[BJLLS11]
End-to-endVerifiableVo4ng
End-to-EndVerifiableVo4ng• Provides“end-to-end”integrity;votesare
– “castasintended”(verifiedbyvoter)– “collectedascast”(verifiedbyvoterorproxy)– “countedascollected”(verifiedbyanyone)
• Paperballotshaveonlyfirstproperty;onceballotiscast,integritydependson“chainofcustody”ofballots.
• End-to-endsystemsprovidesoTwareindependence,verifiablechainofcustody,andverifiabletally.
PublicBulle4nBoard(PBB)
• E2Esystemshave“publicbulleQnboard”pos4ngelec4oninforma4on(includingencryp4onsofballots).
• PBBposts“evidence”thatreportedwinneriscorrect.
PublicBulle(nBoard:<Elec4on>SystemPKparametersVoter/Votepairs:“Abe_Smith”,E(voteAbe_Smith)
“Ben_Jones”,E(voteBen_Jones)…ReportedwinnerProofofcorrectness</Elec4on>
Ballotsareencrypted
• Votergivencopyofherencryptedballotas“receipt”
• Howcansheverifythatencryp4onwasdonecorrectly?Wasvote“verifiablycastasintended?”– Answer:votercanarbitrarilydecideeithertocastencryptedvote,ortoauditencryp4onbyaskingfordecryp4onparameters.(Benaloh)
Votercanconfirmchainofcustody
• VoternamesandreceiptspostedonPBB• Voterchecks“collectedascast”byverifyingthathername/receiptispostedonPBB
• Ifitismissing,shecancrediblycomplainifherreceiptis``authen4c’’ (e.g.hardtoforge).
• EnoughcrediblecomplaintsèRe-runelec4on!
Anyonecanverifytally
• Systempublishesfinaltally(reportedoutcome)andNIZKproofthatreportedoutcomeiscorrect.
• Decryp4ngindividualballotsnotnecessarywithhomomorphictallying:E(v1)E(v2)=E(v1+v2)Productofciphertextsisciphertextforsum.Onlyproductofallvotesneedstobedecrypted.
• Anothercommonapproachbasedonmixnets.
E2Edeploymentsinrealelec4ons
• Scantegrity(Chaum;TakomaPark,MD;2009&2011)
• Wombat(Rosen;3elec4onsinIsrael;2011&2012)
• PrêtàVoter(Ryan;NewSouthWales,Australia;2014)
• StarVote(Aus4n,Texas)(DeBeauvoir;inprogress…)
Hybridpaper+electronic
• Somesystems(likeScantegrity,Wombat,andStarVote)havebothapaperballotANDanelectronicE2Esubsystem.
• Canauditpaperballotsasusual.• CanauditelectronicrecordsonPBBasusualforE2Esystem.(Thatis,votercanverifyhervoteisthere,andanyonecanverifytally.)
Scantegrityconfirma4oncodes
Invisiblecodessolves“receiptauthen4city”problem:voteronlygetscodesforcandidatesshevotedfor.
Wombatvo4ng
• PrintedballothasplaintextchoiceandQRcodeequivalent.
• VotercastspaperballotintoballotboxandhasQRcodescannedforPBB.
• TakesQRcodereceipthometolookuponPBB.
WhencanIvoteontheInternet?(oronmyphone?)
h�p://voteinyourpajamas.org/
• U.S.VoteFounda4on2015ReportonInternetVo4ng:– E2EnecessaryforIV– But:E2Eshouldfirstbewell-establishedandunderstoodforin-personvo4ng,and
– E2EnotsufficientforIV:manyproblemsremain:
• Malware• DDOSa�acks• Authen4ca4on• MITMa�acks• Zero-daya�acksonservers• Coercion&vote-selling• …
HeliosVo4ng(Adida)
• PrototypeE2Einternetvo4ngsystemh�ps://vote.heliosvo4ng.org/
• Useshomomorphictallying• Usedbysomeprofessionalsocie4es…• Noprotec4onagainstmalware,DDOS,coercion,etc…
• Notsuitableforrealpoli4calelec4ons!
Challenges/OpenProblems
• Proofsofrisk-limi4ngcharacterforBootstrapaudits
• Developtheoryforprecinct-levelaudits• Be�erE2Edisputeresolu4on• Goodmul4-channelremotevo4ngmethods(mail+phone?)
• Be�erwaystoexplainauditstonon-technicalfolks(sta4s4cs;crypto;assump4ons…)
Conclusions
• Elec4onintegrityremainsahardproblemandagoodresearcharea.
• Internetvo4ngis(orshouldbe)alongwaysoff(20years?)
• End-to-endverifiablevo4ngmethods(especiallyhybridmethodswithpaperballots)arethewaytogo.
Thanksforyoura�en4on!
TheEnd
