Ben Hosp, Nils Janson, Phillipe Moore, John Rowe, Rahul Simha, Jonathan Stanton, Poorvi Vora

{bhosp, simha, jstanton, poorvi} @gwu.eduDept. of Computer Science

George Washington University

Integrity during ballot casting: paper receipts

Challenge: allow the voter to keep a record of her vote so – she can determine that it has been counted

correctly, yet – not prove how she voted

This record on paper, so “computer” problems will not destroy the record

CVV* can do this, with, from the voter’s POV

A voting system that will “just work”

The only additional effort required of the voter is to pull a lever up or down arbitrarily.

Caveat: a non-negligible percentage of voters or their representatives must make the effort to check their ballot receipts.

* Based on a method by David Chaum

Election Goals

Integrity – Correct vote count. Anonymity – I can’t tell how you voted. Involuntary Privacy – You can’t prove to

me how you voted. Voter Verifiability – You, the voter, can verify the

first two goals. Public Verifiability – Anyone can verify the

first three goals. Robustness – If something goes wrong it can be

detected and fixed

CVV Assumes

A set of n independent trustees, all of whom do not collude (can be made k of n)– Collusion can violate privacy without being

detected – Collusion cannot violate integrity without

detection

All n trustees are functional (can be made k of n)– A nonfunctional trustee (or > k nonfunctional

trustees) can cause a denial of service attack

CVV Assumes

A not necessarily trustworthy polling machine– Cannot violate count integrity– Can violate privacy (sees ballot)

No collusion between authentication process and polling machine– Collusion can lead to ballot stuffing

Sufficiently large number of receipts checked – by voter or authorized third party– Requires process

poster

CVV is

A prototype implementation of Chaum’s voter-verifiable voting system

Using commonly available, low-cost hardware and OS platforms

Stage 2

Demo 1: walk-through

The Voting ProcessBallot Casting

The voter uses the voting booth machine to generate some image: her vote.

The booth prints out two layers – which are random by themselves, – but when overlaid, display the image.

Layer generation

The layers are generated using two strings of random numbers– Each created by adding trustee shares– Each of size half of the number of image pixels– One for the top layer, other for bottom– Laid in staggered form on the two layers

R

R

RR

R

R

R RR

R RR R

R R

R

Layer generation

Other half pixels on each layer are such that the overlay is the correct vote

=

Other vote:

Different types of receipts

Optical (additive) overlay: Chaum

Many other symbols by Jeroen van de Graf

The Voting ProcessReceipt Choice

The voter chooses one layer for her receipt.– Some other “stuff” is printed on the chosen layer.– The unchosen layer is destroyed.– The chosen layer is stored or transmitted

It can be shown that the machine can cheat in only one of the two receipts if the overlay represents the vote.

The Voting ProcessReceipt Checking

Receipts at counting station can all be checked, by a third party, for correctness.

A voter can check her own receipt has reached the counting station or have it checked by a third party.

Automated checking that a hard copy matches an image at counting station not yet implemented by CVV. Visual checking possible.

Cheating machine caught with probability half

If the machine has cheated on a vote which has the check performed– it will be detected with non-negligible

probability (one-half?)– this does not depend on the hardness of

any problem using any computational model, but

– on the randomness of the voter choiceDoes not depend on voter trust of poll

worker checks

The Complete Ballot

The receipt/vote has the following fields:– The vote ID– The encrypted image.– Information for trustees required to decrypt

the top layer. the bottom layer

– A signature of the vote ID info required by non-trustee to recreate above for

chosen layer, but not unchosen oneused to check commitments.

– A signature of the whole ballot to prevent false claims of uncounted votes

{

{

Pre

choice

Post

choice

The Complete Ballot

The information on the ballot– Can be used by anyone to verify that

the ballot was correctly constructed, but

– Cannot be used to decrypt the ballot except by appropriate combination of trustees.

The Vote-Decryption Process – similar to a regular MIX

Random pixels were generated using a different seed for each trustee for top and bottom

The seed of the chosen layer made available on the receipt for checking

The other seed made available in nested encrypted form for the trustees to generate random part of unchosen layer

The Vote-Decryption Process

Each trustee: – for each ballot:

extracts his seed incrementally regenerates the random

numbers on the other layer adds his share to the ballot

– shuffles all the ballots– passes on the ballots to the next trustee

Receipt Decryption

RR

R

RRR R

R

=

The other vote would have looked like

The Auditor

The first trustee is asked to reveal, to the public, a random half of his shuffle.

The next trustee reveals the other half.

And so forth– no ballot can be completely traced through the

shuffles.

The Auditor

Each trustee provides– A correspondence between input and output

images– A seed value

Such that– the encryption of the seed with his public key

gives the encrypted information – the difference between the output and input

images of the revealed half of their shuffle was generated using the seed

Cheating trustee caught with probability half for every vote cheated on

Reduce “negative aspects” of voter verification by

Participation by major political interestspublic interest organizations

as: – Trustees– Third party working on behalf of voter to

Check that receipt is on website Check that receipt was correctly generated

(For this, need them to actively obtain receipts)– Witnesses of trustee decryption process and

audit

Reduce “negative aspects” of voter verification by - II

Process that includes encouraging voter verification when fraud detected or alleged: – If a voter claims his vote not counted,

encourage enough voters to check their votes to determine extent of fraud/error

– If a displayed receipt does not check, check receipts in that precinct to determine extent of fraud/error

Current status of CVV

Prototype implemented in Java Currently supports low-end ink jet

printing Plan

– Open source release– User-friendly ballots– Pre-packaged election tool kit for third-party

elections (e.g. student elections). Those interested please contact us.

– Construction of various other primitives for plug and play

More Next Steps

Performance and Robustness Testing and Enhancements

Trials in local and school elections – for education and – to test usefulness and acceptance of scheme

With Political Science and Public Affairs FacultyDetermine if there is a difference in acceptance along group lines: – Political parties– Age– Race– Ability (among handicapped; Braille overlay methods can

be developed)

References and Acknowledgements

David Chaum

David Chaum, “Secret-Ballot Receipts: True Voter-Verifiable Elections”, IEEE Security and Privacy, January-February 2004 (Vol. 2, No. 1)

Poorvi Vora, “David Chaum’s Voter Verification using Encrypted Paper Receipts”, www.seas.gwu.edu/~poorvi/Chaum/chaum.pdf

Also on DIMACS website linked from talk abstract

Extras

1. Voter votes. Obtains an encrypted receipt that even she cannot decrypt outside polling booth• only all n trustees can decrypt it• this can be modified to k of n trustees.

We will describe later how she can be sure the polling machine did not cheat

2. Voter checks for receipt on public website. If it is there, her vote has reached the counting station

CVV - How it worksbased on Chaum voter-verifiable voting system

CVV - How it works

4. Possessor (voter or third party or anyone if receipt on website) can check if receipt is correctly generated.

5. All votes at counting station are serially (partially) decrypted and shuffled by trustees (version of MIX)

6. Final, unencrypted, shuffled votes are counted. Conditional count announced.

7. Trustee decryption and shuffle is audited. Final count announced, election certified.