veryvote a voter verifiable code voting system

Instituto de Engenharia de Sistemas e Computadores Investigação e Desenvolvimento em Lisboa

technologyfrom seed

Grupo de Sistemas Distribuídos

VeryVoteA Voter Verifiable Code Voting System

Rui Joaquim [email protected] (INESC-ID \ ISEL)Carlos Ribeiro [email protected] (INESC-ID \ IST)Paulo Ferreira [email protected] (INESC-ID \ IST)


technologyfrom seed

2VOTE-ID 2009, 7-8 September 2009

Introduction

• VeryVote is an Internet voting system.• Internet voting:

(+) brings more convenience to voters, allowing to vote from anywhere with an Internet connection.

(–) suffers from the secure platform problem.• The client platform is not controlled nor trustworthy.

• How to guarantee the election integrity in this setup?

(–) vote buying and coercion issues inherent to remote voting.


technologyfrom seed


VeryVote Overview

• VeryVote addresses the secure platform problem.

• VeryVote uses a code voting approach.– Prevents the misbehavior of the not trusted client platform. – However, it “does not” provide mechanisms to verify if the vote is counted as

intended by the voter.

• VeryVote vote protocol is a fusion between a generic code voting protocol and the MarkPledge technique.

– Cast-as-intended voter verification.– Universal count-as-cast verification.

end-to-end verifiability.


technologyfrom seed


Vote A

Vote B

Thank you!

The Problem

Voter Election Server

Voter’s PC

APP

Vote AThank you!

TallyA B


technologyfrom seed


Generic Code Voting Approach

VoterCode Sheet

Vote codesA – 3WQB – M8WC – WAM

…Confirmation code

JRF

Election Server

Voter’s PC

APP

3WQ

JRFTally

A B

• How we can verify the tally?• Publishing the received vote codes and

associated candidates.– Each voter can verify her vote.

– Anyone can do the vote count.

– But, the voter cannot correct her vote. The election tally is already published!!!

• Is there a better way?– Yes, VeryVote.


technologyfrom seed


• MarkPledge is a cut-and-choose technique proposed to provide cast-as-intended verification to poll station voting, and works based on two functions: BitEnc(b) and OpenBitEnc(BitEnc(b), challenge).

BitEnc(0) =

BitEnc(1) =

MarkPledge Overview

A3C 53W 8F9 324 SQ1 DHJ IPS E9F 287 KJL FXC ZPT

JRF JRF JRF JRF JRF JRF JRF JRF JRF JRF JRF JRF

encrypted value


technologyfrom seed



BitEnc(0) =

BitEnc(1) =

OpenBitEnc( BitEnc(0), c1 ) = SQ1OpenBitEnc( BitEnc(1), c1 ) = JRF

MarkPledge Overview



c1

encrypted value

decrypted value


technologyfrom seed



BitEnc(0) =

BitEnc(1) =

OpenBitEnc( BitEnc(0), c1 ) = SQ1 OpenBitEnc( BitEnc(0), c2 ) = IPSOpenBitEnc( BitEnc(1), c1 ) = JRF OpenBitEnc( BitEnc(1), c2 ) = JRF

MarkPledge Overview



c2c1

encrypted value

decrypted value


technologyfrom seed



BitEnc(0) =

BitEnc(1) =

OpenBitEnc( BitEnc(0), c2 ) = IPSOpenBitEnc( BitEnc(1), c2 ) = JRF

MarkPledge Overview



c2encrypted value

decrypted value


technologyfrom seed


After the election end:

1. The Vote Machine publishes the MarkPledge vote/receipts.

2. External organizations verify the correctness of the published data.

3. The voter verify her receipt (and correct her vote if necessary).

4. The votes are tallied using a protocol with counted-as-cast verification.

Random challenge (c)

MarkPledge Vote/Receipt VerificationPoll station voting (inside the voting booth)

MarkPledge Vote/Receipt

CandidatesVote

Encryption

(BitEnc)

Vote Receipt

(OpenBitEnc)

Alice

Bob

Charles

Dino

BitEnc(0)

BitEnc(1)JRF

BitEnc(0)

BitEnc(0)

W3E

JRF

R59

KMZ

Challenge = c

Voter Vote Machine Printer

Bob

JRF

Commit to c


technologyfrom seed


Building Blocks And VeryVote Protocol Overview

Generic code voting

MarkPledge VeryVote

Verifiability /

Election integrity

• Prevents APP vote manipulations.

• Election server can manipulate the tally.

• End-to-end verifiable.

Voter interaction

(while voting)

Simple• Only one input.

Tricky• 3 inputs (total).• 2 non trivial inputs.• Step order must be respected.• Requires a printer while voting.

• End-to-end verifiable.

Simple• Only one input.


technologyfrom seed


Election Preparation

1. A set of trustees create a threshold shared election key pair.

2. The Election Server (ES) pre-computes and commits to the votes to be used in the election.• The BitEnc(b) constructions are built using the election public key.

3. The code sheets are created and associated to a pre-computed vote.• The confirmation code is the value encrypted in the elements of the

BitEnc(1) construction.

Pre-computed Vote

BitEnc(0)BitEnc(0)

BitEnc(1)JRF

BitEnc(0)

Code Sheet

Vote codesAlice – 3WQ Bob – M8W

Charles – WAM Dino – QGH

Confirmation codeJRF


technologyfrom seed


Election Preparation

4. The code sheets are distributed to the voters:• Anonymous distribution

+ ES does not know who the voters are (more privacy guarantees).

– Allows the ES to add votes for the voters that did not vote.

• Non anonymous distribution+ Easier distribution process.

+ Prevents or makes detectable the addition of votes.

– The ES knows who voted for who.

5. Just before the election, the trustees create and announce a Shared Random Election Value (SREV)• The SREV value is not known at the creation time of the pre-computed votes.• The SREV will be used as a random source in the challenge generation process.


technologyfrom seed


VeryVote Vote Protocol


Voter’s PC

APP

3WQ

Code Sheet




Pre-computed Vote

BitEnc(0)BitEnc(0)

BitEnc(1)JRF

BitEnc(0)

challenge = hash( , SREV)

Final Vote

BitEnc(1)JRF

BitEnc(0)BitEnc(0)BitEnc(0)

Vote Receipt

Alice – JRF Bob – I5W

Charles – JCU Dino – KAI

After the election end:

1. The ES publishes all the pre-computed votes and corresponding Final Votes and receipts.

2. The trustees verify the correctness of the published data.

3. The voters confirm their receipts with the verified receipts. If any error is detected they make correct vote, because the election tally is not yet published.

4. After the claiming stage, the votes are anonymized by a mix net and decrypted by the trustees.


technologyfrom seed


VeryVote Integrity Quick analysis


Voter’s PC

APP

Code Sheet





Vote Receipt

Alice – JRF Bob – I5W


• The APP “cannot” modify the voter’s choice because it does not know the vote codes.

• The ES “cannot” modify the voter’s choice because the process changes the vote receipt.

3WQ Pre-computed Vote

BitEnc(0)BitEnc(0)

BitEnc(1)JRF

BitEnc(0)

Final Vote

BitEnc(1)JRF

BitEnc(0)BitEnc(0)BitEnc(0)


technologyfrom seed


VeryVote Integrity Quick analysis


Voter’s PC

APP

Code Sheet



Confirmation codeKJE

Pre-computed Vote

BitEnc(0)BitEnc(0)

BitEnc(1)JRF

BitEnc(0)


Final Vote

BitEnc(0)BitEnc(1)JRF

BitEnc(0)BitEnc(0)

Vote Receipt

Alice – KJE Bob – JRF


• The ES can create a fake receipt if it can find the right permutation of the BitEnc(b) values.

– The probability of this happening is approximately

P1 = n! / #CC

– This probability can be made constant if we generate the challenge from the Pre-Computed Vote.

P2 = (n – 1) / #CC

3WQ


technologyfrom seed


Conclusions

• VeryVote provides end-to-end verifiability in the Internet voting scenario.

– The voter can privately verify and correct her vote before the tally publication.– The tally process is verifiable.

• VeryVote successfully addresses one of the most important problems of remote electronic voting.

– The secure platform problem.

• VeryVote has a simple voter interaction, and therefore is very appealing for real use.

– To the eyes of the voter, the VeryVote protocol is very similar to a generic code voting protocol.

• VeryVote do not offer any special protection against vote buying and coercion.

– It suffer from the problems of traditional remote voting systems, e.g. postal voting. – The verification mechanisms of VeryVote do not break the voter’s privacy per se.

Although, the voter can collaborate with the attacker to produce a convincing vote receipt.

Questions?


technologyfrom seed


MarkPledge Vote/Receipt Privacy Safeguard

MarkPledge Vote/Receipt

CandidatesVote Encryption

VoteEnc | BitEnc

Vote Receipt

(OpenBitEnc)

Alice E(v0) BitEnc(0) W3E

Bob E(v1) BitEnc(1) JRF

Charles E(v0) BitEnc(0) R59

Dino E(v0) BitEnc(0) KMZ

Challenge = c

veryvote a voter verifiable code voting system

Documents