electronic voting r. newman. topics defining anonymity need for anonymity defining privacy threats...
TRANSCRIPT
Electronic Voting
R. Newman
Topics
Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide anonymity Metrics for Anonymity Applications of anonymity technology
Privacy Need anonymity to protect against retribution Need privacy to protect against coersion
Authorization Need to ensure only enfranchised vote Need to prevent multiple voting
Verifiability Need to make sure your vote was counted Need to be able to verify tally is correct Auditability is needed in case of disputes
Voting Requirements
Data integrity and reliability - tamperproof Voter anonymity and data confidentiality Operator authentication Documentation and assurance Personnel integrity
Specific Requirements
System accountability System disclosability System availability System reliability Interface usability
Specific Reqs – the ”-ilities”
Plurality Voting One vote per voter Candidate with most votes wins
Plurality with Run-off Plurality voting selects top two candidates Top two candidates have second election
Approval Voting Voters can approve of multiple candidates Candidate with most votes wins
Types of Voting
Instant Run-off Candidate with fewest votes eliminated Repeat until candidate with majority
Pairwise Elimination Vote in tournament style
Borda Voting Voters submit total order on candidates Candidate with most points wins
Many more....
More Types of Voting
Secret Sharing Threshold systems Basic versions assume: Honest distribution Honest reconstruction
PVSS resists Dealer distributing incorrect shares
Anyone can verify correctness Participants submitting incorrect shares
Publically Verifiable Secret Sharing
Voters Register and vote
Registrar Validate voters Distribute ballots
Ballot Box – Vote Certifier Allow voters to post anonymous, verifiable ballots
Tallyer Collect valid ballots Post verifiable results
Generic Approach - Players
Phase I – Registering Voter contacts Registrar, proves identity Registrar verifies identity, gives blank ballot
Phase II – Voting Voter prepares ballot, submits to ballot box Ballot box validates ballot, posts ballots Public (including voters) verify ballots
Phase III – Tallying Tallyer combines votes on ballots, publishes results Public verifies results
Generic Approach - Phases
Registrar gets list of valid voters Voter sends Registrar proof of identity along with blinded
ballots Public key signature on message
Registrar verifies voter’s identity and validity Verifies signature Checks that name is on list of valid voters
Registrar signs blinded ballots Typically uses cut-and-choose to detect cheating Blinding removes association with voter
Registering
Voter unblinds ballots Voter selects ballot with candidate of choice Voter anonymously sends ballot to Ballot Box Ballot Box verifies ballot
Signature from Registrar Ballot Box posts ballot
Voter can see that her ballot has been cast
Voting
Ballot Box closes polls when period is over Tallyer collects all valid ballots Tallyer computes results and posts Public can validate results
Tallying
Registrar gets list of valid voters Voter sends Registrar proof of identity
Public key signature on message Registrar verifies voter’s identity and validity
Verifies signature Checks that name is on list of valid voters
Registrar sends Voter blank ballot Keeps digest of voters, ballots
Registering – Alternative 1
Voter marks signed ballot with choice(s) Voter sends blinded marked ballot to Certifier
Voter signs blinded marked ballot Certifier validates ballot
Checks signature vs. list of voters Does not know ballot number Signs blinded ballot
Voter unblinds ballot, anonymously sends to Tallyer Tallyer anonymously sends receipt to voter
Voting – Alternative 1
Tallyer counts valid votes Tallyer publishes results
Counting – Alternative 1
Registrar gets list of valid voters Voter sends Registrar proof of identity along with blinded
public key PK used as a pseudonym
Registrar verifies voter’s identity and validity Verifies signature Checks that name is on list of valid voters
Registrar signs blinded public key Blinding removes association with voter Voter has registrar’s signature on PK certificate
Registering – Alternative 2
Voter produces ballot Uses proper format Signs balloot using pseudonym public key
Voter sends signed ballot to Ballot Box Ballot sent anonymously BB can’t link ballot to sender or to signer
BB verifies ballot Checks signature on ballot Checks that PK certificate signed by Registrar
BB posts valid ballots
Voting – Alternative 2
Tallyer closes election when time is up Tallyer combines validedated ballots
Publishes results
Tallying – Alternative 2
Obtaining marked ballot that is Not tied to the voter Verifiable
Insuring that fraud cannot occur Voter can only vote once Nobody other than voter can use voter’s ballot Only valid voters can vote
Auditability What about write-in ballots?
Issues