Talk by Vanessa Teague University of Melbourne vjteagueunimelbeduau Joint work with Chris Culnane James Heather amp Steve Schneider at University of Surrey Peter Y A Ryan at ID: 237747
Download Presentation The PPT/PDF document "How to vote verifiably in 2014" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
How to vote verifiably in 2014
Talk by Vanessa
Teague, University
of
Melbourne vjteague@unimelb.edu.au
Joint work with
Chris
Culnane
, James Heather & Steve Schneider at University of Surrey,
Peter
Y A
Ryan at
University of Luxembourg,
Craig Burton at the Victorian Electoral Commission,
a
nd many helpful othersSlide2
Disclaimer
This is a technical talk about our proposed design, with the aim of getting other researchers interested in it and perhaps in doing some analysis, verification, or improving
I’m not representing the VEC’s official position on anything.
Though at the moment my understanding is that they intend to use this system in the 2014 state election for specific classes of voters who would otherwise need assistance to voteSlide3
Why verifiable voting?What’s wrong with this picture?
Electoral Commission server
with decryption key
Voters
PCs
Encrypted votes
Election outcome
RSA
RSA
RSASlide4
The main idea
This talk is about how to adapt a verifiable cryptographic voting system called
Prêt à Voter to Victorian State Elections.
It’s an attendance system designed for privacy and
verifiabilitySlide5
The challenge
Vote privacy is relatively easy
Using standard crypto and a completely trusted decryption & counting system
Verifiability is relatively easy
If you don’t care about privacy: just make all the votes public
The challenge is to do both:
verifiably accurate results that preserve privacy
Verify the election not the system!Slide6
Voter-verifiability overview
Each voter can
check that
their vote
is recorded as
they intendedUsing a polling-place protocol described hereThe voter leaves the polling place with an encrypted receipt
Encodes their voteDoesn’t reveal how they votedAll the receipts (i.e. encrypted votes) are publishedThe voter or a proxy can check that it’s properly included in the countAnyone can check that the set of cast votes is properly shuffled & decryptedWhile privacy
is preservedSlide7
The requirementsLet’s demonstrate that the system does the right thing, even if some of the computers are compromised
This
is how ordinary paper-based elections work
At least most of the
time
Other requirements like usability, robustness, security from outside attack, etc are also importantBut not part of this talkSlide8
Talk outlineVoting
Checking from home that
your vote is there
Verifying
shuffling and decryption
PrivacySlide9
Prê
t
à
Voter
Uses pre-prepared
paper ballot
forms that encode the vote in familiar form.The candidate list is randomised
for each ballot form.Information defining the candidate list is encrypted in an “onion” value printed on each ballot form.Actually, we print a serial number that points to the encrypted values in a public table
Red
Green
Chequered
Fuzzy
Cross
$rJ9*mn4R&8Slide10
Ballot auditing
Each voter can challenge as many ballots as they like
And get a proof that the onion matches the candidate list
Then don’t use that ballot
Then vote on an unchallenged one
So you can’t prove how you voted
Red
Green
Chequered
Fuzzy
Cross
$rJ9*mn4R&8Slide11
Voting
Fill in the boxes as usual
Use a computer to help
Check its printout
Against candidate list
Shred candidate list
Computer uploads vote
Same info as on printoutTake printout homeIt doesn’t reveal the vote
$rJ9*mn4R&8
Red
Green
Chequered
Fuzzy
Cross
$rJ9*mn4R&8
1
2
3
4
5
Slide12
Talk outlineVoting
Checking from home that
your vote is there
Verifying
shuffling and decryption
PrivacySlide13
Checking from home that your vote is thereTher
e’s a public website listing all the receipts
More precisely, there’s a “bulletin board” which is a public website augmented with some evidence that everyone sees the same data
Find yoursSlide14
Talk outlineVoting
Checking from home that
your vote is there
Verifying
shuffling and decryption
First some background on public key cryptoRandomised partial checking
PrivacySlide15
Verifying shuffling and decryption
Now we have a list of encrypted votes
On a public website
Encrypted, and linked to voter’s identities
Because each voter still holds their receipt
We want toShuffle the votesTo break the link with voter IDDecrypt the votes
Prove that this was done correctlySlide16
What’s public-key cryptography?
The receiver generates two keys:
a public key
e
(for encrypting), and
a private key d (for decrypting)She publicises the public key e
People use this for encrypting messagesThey also include some randomnessShe keeps the private key d secret She uses this for decrypting messagesSlide17
Picture of public-key cryptography
Sender
Receiver
RSA
RSASlide18
Re-randomising encryptionWithout knowing the secret key, re-do the randomness used in the encryption
The message stays the same
But the new encryption can’t be linked to the old one Slide19
Randomised partial checking
By
Jakobsson
,
Juels
& RivestSignificant improvements by WikströmWe can’t (completely) prevent a hacker from breaking in to all the computers and changing the votes, butWe can check the process thoroughly enough to be confident that If the checks succeed
thenThe system produced the right outputWith very high probabilitySlide20
Randomised partial checking
A pair of mix servers shuffle and
rerandomise
Choose randomly to prove the link to start or
endSlide21
Provable decryption step
Trust me, this can be done
Using
chaum-pedersen
proofs of
dlog equalityShowing proper decryption of El Gamal ciphertext given El
Gamal public keySlide22
Talk outlineVoting
Checking from home that
your vote is there
Verifying
shuffling and decryption
PrivacySlide23
PrivacyWhenever you have a computer helping you fill in your vote, that computer is a privacy risk
So is the ballot printer
There are some clever schemes for verifiable voting that don’t tell your computer how you voted
e.g. the “plain” version of prêt
à
voter in which you fill in the ballot with a pencilBut none of them work with 30-candidate STVThis scheme does about the best I can imagine at preserving privacy while providing a usable 30-candidate STV voteSlide24
SummaryThis provides a rigorous after-the-fact argument that the answer was right (with high probability)
To the court we’d say
We worked really hard to make sure the software was correct
We worked really hard to make the computers secure
But even if these were not perfect:
The voters & the public could check the integrity of the data directlyAnd the scrutineers can reconcile that with the rest of the count
And would have detected a manipulation with high probabilitySlide25
Further infohttps://www.usenix.org/system/files/conference/evtwote12/evtwote12-final9_0.pdf
http
://
www.computing.surrey.ac.uk/personal/st/S.Schneider/papers/2013/SDSTechReport.pdf
Though both are a bit out of date – if you want to read an up-to-date design doc with care then wait a few weeks for an updated TRSlide26
Conclusion and questionsIf you’d like to write your own proof checker, verifier, signature checker,
etc
, please come and talk to me,
If you think you’ve found a bug, please come and talk to me,
If you read the supporting materials and you think you’ve found a bug, please come and talk to me.
Questions?