secret ballot receipts true voter-verifiable elections richard carback kevin fisher sandi lwin cmsc...
TRANSCRIPT
Secret Ballot ReceiptsTrue Voter-Verifiable Elections
Richard CarbackKevin Fisher
Sandi Lwin
CMSC 691vApril 3, 2005
IntroductionSystem Features
•Magic receipt•Vote visible in voting booth•Vote invisible, verifiable outside voting booth
•Trusted voting machines unnecessary•Provisional ballots are ballots, too•Vote from anywhere•Adjudicate today, adjudicate tomorrow•Deeper, more restful sleep•Eliminates common indoor allergens
•Even pet dander!•Boosts gas mileage up to 13%
System from Voter’s Perspective
•Input with touch screen or other input means
•Register printer generates printout• List names of candidate• party affiliations• office sought• others
System from Voter’s Perspective
•Print votes before the final inch
•Printer prints simultaneously both layers
•Review printout
•Indicate layer to keep
•Printer prints final inch
System from Voter’s Perspective
•Printer cuts both layers off, still laminated together and releases them
•Neither layer readable on its own
•Light passing through sandwiched layers without printings on either layers makes choices visible
Example of Ballot Printout
Figure 1. An example part of a ballot printout listing a candidate selected. In
addition to being able to include the candidate’s name, party affiliation, and
office sought, the printout can also include other types of contests and various graphics
options.
Example of Final Inch Together
Figure 2. Last inch of the printout before the two laminated layers are
separated.
Final Inch Separated
Figure 3. Last inch of the printout after it’s separated: (a) the receipt (the layer the voter selects to keep) and (b) the layer
that’s shredded before the voter leaves the polling place.
Leaving the Polling Booth
•Voter gives up the layer marked for surrender
•Layer gets shredded by poll worker
•Same layers get shredded “electronically”
•Only physical layer voter kept and digital version of that same image remains
Election Web Site
•Enter receipt’s serial # to check vote has been counted
•Print image on website and check against the actual receipt
Resistance to Attack
•Posted Receipt == Proper Tabulation (Most likely)
•Votes are private (unless code is broken)
•Malicious Software can only hope:–user will choose one layer–noone will check serial numbers–tally will not be audited
Weaknesses to Attack
•Subliminal Channels•Selectively Malicious DRE•Discarded Receipts•Malicious Tally Software
Visual Cryptography 101Typography
+ =
Newsprinte+ =
Ballot Receipt
Visual Cryptography 101PixelsNewsprint Ballot Receipt
= 0
= 1
0 1=
=
=
=
0
0
1
1
0
1
0
1
0
1
1
0
=
=
=
=
Visual Cryptography 101Message Encoding
+ =
RandomWhite Sheet
=
+ ][
+
Visual Cryptography 101White Sheet Vulnerability
Single encoded message yieldsmultiple plaintext images.
Visual Cryptography 101Mixing Red and White Sheets
+ =
=+
Tabulation
•All receipts are posted•Each trustee decodes a batch
•Batches randomized to protect privacy
Russian Nesting Dolls
•Voted Ballot == Set of dolls (or one big doll)•Each trustee opens one size of dolls•Smallest doll is plaintext ballot
Coded Sheets
•How you do this with computers•Big doll is the summation of the smaller permutations•Each trustee subtracts their permutation mod 2•Original permutation revealed at smallest doll
Tabulation Integrity
•Need to maintain privacy•Each trustee is video-taped doing 2 batches•1 tape is released
–chosen afterwards (auditor or political parties)
Formal Receipt ProcessVoting Phase – Step 1
Ballot image B
President: LincolnSenator: Kennedy
milkeggs
LINCOLN
General Election
Senator:
President:
KENNEDY
Ballot Number 8675309
Separate layers before leaving booth.
Plaintext receipt
Formal Receipt ProcessVoting Phase – Step 2
< LZ , q , Dt , Db >
Printed 4-tuples
Ballot Number 8675309
Separate layers before leaving booth.
General Election
q: serial number
LZ: ballot layer
Dt: top dollDb: bottom doll
Ballot Number 8675309
Separate layers before leaving booth.
General Election
Formal Receipt ProcessVoting Phase – Step 3
< Lt , q , Dt , Db >
Visual XOR function
LINCOLN
General Election
Senator:
President:
KENNEDY
Ballot Number 8675309
Separate layers before leaving booth.
< Lb , q , Dt , Db >
=< B , q , Dt , Db >
Mathematical XOR function
Formal Receipt ProcessVoting Phase – Step 5
Bottom layer: x=bBallot Number 8675309
Separate layers before leaving booth.
General Election
Ballot Number 8675309
Separate layers before leaving booth.
General Election
Top layer: x=t
Formal Receipt ProcessVoting Phase – Step 5
Bottom layer: x=bSeed: sx(q)
Ballot Number 8675309
Separate layers before leaving booth.
General Election
Overall: ox(Lx,q,Dt,Db,sx(q))
“Last Inch”Digital Signature
< sx(q) , ox(Lx,q,Dt,Db,sx(q)) >
Formal Receipt ProcessVoting Phase – Step 6
Part 1
sx(q)
Ballot Number 8675309
Separate layers before leaving booth.
General Election Consistency Check
(sx)-
1
hash
q
Formal Receipt ProcessVoting Phase – Step 6
Part 2
sx(q)
Ballot Number 8675309
Separate layers before leaving booth.
General Election
ox(Lx,q,Dt,Db,sx(q))
Consistency Check
(ox)-1
hash
q
hash
Db
hash
Dt
hash
Lx
Formal Receipt ProcessRed and White Matrices
Ballot Number 8675309
Separate layers before leaving booth.
General Election
m
nn/2 n/2
WZRZ
Formal Receipt ProcessRed and White Matrices
Ballot Number 8675309
Separate layers before leaving booth.
General Election
Ballot Number 8675309
Separate layers before leaving booth.
General Election
Top Layer Bottom Layer
Wt = Lti,[2j – ([i+1]
mod 2)]Rt = Lti,[2j – (i mod 2)] Rb = Lb
i,[2j – ([i+1]
mod 2)]
Wb = Lbi,[2j – (i mod 2)]
WtRt RbWb
Formal Receipt ProcessRed and White Matrices
Ballot Number 8675309
Separate layers before leaving booth.
General Election
Ballot Number 8675309
Separate layers before leaving booth.
General Election
Top Layer Bottom Layer
Bx = Rx Wy
WtRt RbWb
Formal Receipt ProcessCryptographic Pseudorandom Number Generators
Ballot ID
Key
12345
Ciphertext
AES
AES
12346
1010100..10
0100111..00
N bits
Formal Receipt ProcessCalculating the Noise Matrix
WZi,j = (dZ
k dZk-1 … dZ
1)[mj–
m]+1dZ
k = h’(d’Z
k)d’Z
k = h(sZ(q), k)
sZ(q)
Pseudorandom sequence
h’
h dZk =
101010..110k
Cryptographic pseudorandom number generators
m*n/2 bits
WZi,j = 1
01
010
110
..
n/2
m
Formal Receipt ProcessDoll Construction
d’Zk= doll
ksZ(q)
Pseudorandom sequence
h’
h dZk =
101010..110k
Cryptographic pseudorandom number generators
d’Z
1
)e1
(e2(d’Z
2, ))DZk = ek(d’Z
k, …
Formal Receipt ProcessTally Phase: Doll Processing
DL-1
DL
dL DL
dL
DL-1
d’L-1
eL
h’d’L-1 dL-1
DL-1
dL-1
dZL-1 = h’(d’Z
L-1)
Formal Receipt ProcessTally Phase: Auditing
Stage k k-1 k-2 k-3 k-4
Audit batches
Formal Receipt ProcessTally Phase: Auditing
Stage k k-1 k-2 k-3 k-4
Audit batches
Cryptography
•Computationally secure–breakable with enough computing power applied
•Unconditionally secure–cannot be broken even with applying infinite computing power
Cryptography
•Receipt system uses:–Computationally secure encryption to form layers
•Digital signatures:–last inch contains digital signature for authentication–scanners used to verify signature
Cryptography
•Privacy–Protects privacy using computationally secure encryption.
Cost of System
•Reduces cost of integrity while raising its level dramatically•Hardware cost lower than current black box system
–Government buy at price of open platform PC
•Cost of suitable printers in volume is less than hardware cost saving•Savings in maintenance and upgrades
Similarities in Punchscan
•Splitting the ballot is the same idea–Destroy half the information
•Tabulation is more complicated, but similar to that of Punchscan
–privacy is kept in a similar manner (only choose half of the process to look at)
Similarities in Punchscan
•Definitely an advancement
•Has some security problems at the system level
–not insurmountable
•Kind of complicated
•Not expandable–rank-order would be hard–Not the most scalable