truly verifiable elections
DESCRIPTION
talk at Microsoft Research on truly-verifiable votingTRANSCRIPT
Truly Verifiable Voting
Ben AdidaHarvard University
MSR Voting Technology Workshop19 March 2010
“If you think cryptographyis the solution
to your problem....
2
... then youdon’t understandcryptography...
3
... and you don’t understand your
problem.”
Yet, cryptography solves problems that initially
appear to be impossible.
4
There is apotential paradigm shift.
A means ofelection verificationfar more powerful
than other methods.5
“But with cryptography, you’re just moving the black box. Few people really
understand it or trust it.”
Debra BowenCalifornia Sec. of State, 7/30/2008
(paraphrased)
6
7
time
DREcode
ElectionResults
election
Three Points
8
1. Voting is a unique trust problem.
2. Cryptography is not just about secrets,it enables collaboration w/o blind trust,it democratizes auditing processes.
3. Truly Verifiable Voting is closing in on practicality.
1.Voting is a unique
trust problem.
9
“Swing Vote”
terrible movie.hilarious ending.
10
Wooten got the news from his wife, Roxanne, who went to City Hall on Wednesday
to see the election results.
"She saw my name with zero votes by it.She came home and asked me ifI had voted for myself or not."
11
12
13
14
Bad Analogies
Not just thatATMs and planes are vulnerable(they are, but that’s not the point)
It’s that voting is much harder.
15
Bad AnalogiesAdversaries➡ pilots vs. passengers (airline is on your side, I think.)➡ banking privacy is only voluntary:
you are not the enemy.
Failure Detection & Recover➡ plane crashes & statements vs. 2% election fraud➡ Full banking receipts vs. destroying election evidence
Imagine➡ a bank where you never get a receipt.➡ an airline where the pilot is working against you.
Ballot secrecyconflicts with auditing,
cryptographycan reconcile them.
16
http://www.cs.uiowa.edu/~jones/voting/pictures/ 17
VotingMachine
2
Vendor
/*
* source
* code
*/
if (...
1
Polling Location
3
Ballot Box Collection
5
Results
.....6
4
Alice
Black Box
18
Chain of Custody
19
20
2.Cryptography is notjust about secrets,
it enables collaboration w/o blind trust.
21
22
Initially,cryptographers
re-createdphysical processesin the digital arena.
23
Then, a realization: cryptography enables a new voting paradigm
Secrecy + Auditability.
Bulletin Board
Public Ballots
Alice:Obama
Bob:McCain
Carol:Obama
Tally
Obama....2McCain...1
Alice
24
Encrypted Public BallotsBulletin Board
Alice:Rice
Bob:Clinton
Carol:Rice
Tally
Obama....2McCain...1
Alice
Alice verifies her vote Everyone verifies the tally
25
End-to-End Verification
Polling Location
VotingMachine
Vendor
/*
* source
* code
*/
if (...
Receipt
1 2
Ballot Box /
Bulletin Board
Alice
Results
.....
26
Democratizing Audits
27
Each voter is responsible for checkingtheir receipt (no one else can.)
Anyone, a voter or a public org,can audit the tally andverify the list of cast ballots.
Thus, “open-audit” ortruly-verifiable voting
NO!
Increased transparencywhen some data
must remain secret.28
So, yes, we encrypt,and then we work with the encrypted data in public, so
everyone can see.
In particular, because the vote is encrypted, it can remain labeled with voter’s name.
29
“Randomized” EncryptionKeypair consists of a public key and a secret key .skpk
"Obama" 8b5637Encpk
c5de34Encpk"McCain"
a4b395Encpk"Obama"
30
Threshold Decryption
8b5637
b739cbDecsk1
261ad7Decsk2
7231bcDecsk3
8239baDecsk4
Secret key is shared amongst multiple parties:all (or at least a quorum) need to cooperate to decrypt.
"Obama"
31
Homomorphic Encryption
32
then we can simplyadd “under cover” of encryption!
Enc(m1)× Enc(m2) = Enc(m1 + m2)
gm1 × gm2 = gm1+m2
Mixnets
33
Each mix server “unwraps”a layer of this encryption onion.
c = Encpk1 (Encpk2 (Encpk3 (m)))
Proving certain details while keeping others secret.
Proving a ciphertext encodes a given message
without revealingits random factor.
34
Zero-Knowledge Proof
This last envelope likely contains “Obama”
Vote For:
Obama
President:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MouseVote For: Obama
35
Zero-Knowledge Proof
Open envelopes don’t proveanything after the fact.
President:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MouseVote For: Obama
President:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MouseVote For:
Paul
36
McCain
A little bit more math
37
y = gx mod p
S = gr mod p
c
t = xc + rgt ?= Syc
does this prove anything?
38
y = gx mod p
S = gr mod p
c
t = xc + r
c
t = xc + r
what’s so special about it?
39
y = gx mod p
S = gr mod p
c
t = xc + r
gt ?= Syc
Electronic Experience
40
Voter interacts with a voting machine
Obtains a freshly printed receiptthat displays the encrypted ballot
Takes the receipt home and uses itas a tracking number.
Receipts posted for public tally.
Alice
Voting Machine
Encrypted Vote
Paper Experience
41
paper ballots with indirectionbetween candidate and choice
break the indirection (tear, detach)for effective encryption
take receipt home and use itas tracking number.
receipts posted for public tally.q r m x
Adam - x
Bob - q
Charlie - r
David - m
q r m x
8c3sw
Adam - x
Bob - q
Charlie - r
David - m
8c3sw
q r m x
8c3sw
8c3sw
David
Adam
Bob
Charlie
_______
_______
_______
_______
David
Adam
Bob
Charlie
_______
_______
_______
_______
8c3sw
3.Cryptography-based Voting
(Truly Verifiable Voting) is closing in on practicality.
42
Benaloh Casting
43
"AUDIT"
Alice
EncryptedBallot
Alice
DecryptedBallot
Alice
"CAST"
SignedEncryptedBallot
Alice
SignedEncryptedBallot
DecryptedBallot
EncryptedBallot
VERIFICATION
"Obama"
Many more great ideasNeff ’s MarkPledge➡ high-assurance, human-verifiable, proofs of correct encryption
Prêt-à-Voter by Ryan et al.➡ elegant, simple, paper-based
STV: Ramchen, Teague, Benaloh & Moran.➡ handling complex election styles
Scantegrity I & II➡ closely mirrors opscan voting
44
Deployments!
Scantegrity II @ Takoma Parkreal municipal elections
Université catholique de Louvain25,000 voters
Scratch, Click & Vote
45
Three Points
46
1. Voting is a unique trust problem.
2. Cryptography is not just about secrets,it enables collaboration w/o blind trust,it democratizes the auditing process.
3. Truly Verifiable Voting is closing in on practicality.
My Fear :
computerization of voting is inevitable.
without true verifiability,the situation is grim.
47
My Hope:public auditing proofs
will soon be as common aspublic-key crypto is now.
48
Challenges
49
Ed Felten: “you have no voter privacy, deal with it.”
Questions?
50