/
Verifiable Verifiable

Verifiable - PowerPoint Presentation

marina-yarberry
marina-yarberry . @marina-yarberry
Follow
385 views
Uploaded On 2017-09-11

Verifiable - PPT Presentation

Election Technologies How Elections Should Be Run Josh Benaloh Senior Cryptographer Microsoft Research Traditional Voting Methods Traditional Voting Methods HandCounted Paper Traditional Voting Methods ID: 587297

encryption ballot mix voter ballot encryption voter mix vote 863 multiple votes elections authorities homomorphic voting bob ballots 32david0

Share:

Link:

Embed:

Download Presentation from below link

Download Presentation The PPT/PDF document "Verifiable" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

Slide1

VerifiableElectionTechnologiesHow Elections Should Be Run

Josh

Benaloh

Senior Cryptographer

Microsoft ResearchSlide2
Slide3
Slide4
Slide5
Slide6
Slide7
Slide8
Slide9

Traditional Voting MethodsSlide10

Traditional Voting MethodsHand-Counted PaperSlide11

Traditional Voting MethodsHand-Counted PaperPunch CardsSlide12

Traditional Voting MethodsHand-Counted PaperPunch CardsLever MachinesSlide13

Traditional Voting MethodsHand-Counted PaperPunch CardsLever MachinesOptical Scan BallotsSlide14

Traditional Voting MethodsHand-Counted PaperPunch CardsLever MachinesOptical Scan BallotsElectronic Voting MachinesSlide15

Traditional Voting MethodsHand-Counted PaperPunch CardsLever MachinesOptical Scan BallotsElectronic Voting MachinesTouch-Screen TerminalsSlide16

Traditional Voting MethodsHand-Counted PaperPunch CardsLever MachinesOptical Scan BallotsElectronic Voting MachinesTouch-Screen TerminalsVarious HybridsSlide17

Vulnerabilities and TrustAll of these systems have substantial vulnerabilities.All of these systems require trust in the honesty and expertise of election officials (and usually the equipment vendors as well).Can we do better?Slide18

The Voter’s PerspectiveSlide19

The Voter’s PerspectiveSlide20

The Voter’s PerspectiveSlide21

The Voter’s PerspectiveSlide22

The Voter’s PerspectiveSlide23

The Voter’s PerspectiveSlide24

The Voter’s PerspectiveSlide25

The Voter’s PerspectiveSlide26

The Voter’s PerspectiveAs a voter, you don’t really know what happens behind the curtain.You have no choice but to trust the people working behind the curtain.You don’t even get to choose the people who you will have to trust.Slide27

Fully-Verifiable Election Technologies(End-to-End Verifiable)Allows voters to track their individual (sealed) votes and ensure that they are properly counted…… even in the presence of faulty or malicious election equipment …… and/or careless or dishonest election personnel.Slide28

Voters can check …… that their (sealed) votes have been properly recorded… and that all recorded votes have been properly countedThis is not just checking a claim that the right steps have been taken …This is actually a check that the counting is correct.Slide29

Where is My Vote?Slide30

Where is My Vote?Slide31

End-to-End Voter-VerifiabilityAs a voter, I can be sure that My vote isCast as intendedCounted as castAll votes are counted as cast… without having to trust anyone or anything.Slide32

But wait …This isn’t a secret-ballot election.Quite true, but it’s enough to show that voter-verifiability is possible … and also to falsify arguments that electronic elections are inherently untrustworthy.Slide33

PrivacyThe only ingredient missing from this transparent election is privacy – and the things which flow from privacy (e.g. protection from coercion).Performing tasks while preserving privacy is the bailiwick of cryptography.Cryptographic techniques can enable end-to-end verifiable elections while preserving voter privacy.Slide34

Where is My Vote?Slide35

Where is

My

Vote?Slide36

Where is My Vote?Slide37

Where is My Vote?Slide38

Where is My Vote?No – 2Yes – 1Slide39

End-to-End Voter-VerifiabilityAs a voter, I can be sure that My vote isCast as intendedCounted as castAll votes are counted as cast… without having to trust anyone or anything.Slide40

End-to-End Verifiable ElectionsAnyone who cares to do so canCheck that their own encrypted votes are correctly listedCheck that other voters are legitimateCheck the cryptographic proof of the correctness of the announced tallySlide41

End-to-End Verifiable ElectionsTwo questions must be answered …How do voters turn their preferences into encrypted votes?How are voters convinced that the published set of encrypted votes corresponds the announced tally?Slide42

Is it Really This Easy?Yes …… but there are lots of details to get right.Slide43

Some Important DetailsHow is the ballot encryption and decryption done?How is the cryptographic proof of the tally done?Slide44

Secure MPC is not EnoughSecure Multi-Party Computation allows any public function to be computed on any number of private inputs without compromising the privacy of the inputs.But secure MPC does not prevent parties from revealing their private inputs if they so choose.Slide45

End-to-End Verifiable ElectionsTwo principle phases …Voters publish their names and encrypted votes.At the end of the election, administrators compute and publish the tally together with a cryptographic proof that the tally “matches” the set of encrypted votes.Slide46

Fundamental Tallying DecisionThere are essentially two paradigms to choose from …Anonymized Ballots (Mix Networks)Ballotless Tallying

(

Homomorphic

Encryption)Slide47

Anonymized BallotsSlide48

Ballotless TallyingSlide49

Pros and Cons of BallotsBallots simplify write-ins.Ballots make it harder to enforce privacy – especially in complex counting scenarios.Slide50

Homomorphic EncryptionWe can construct a public-key encryption function E such that if A is an encryption of

a

and

B

is

an

encryption of

b

then

A

B

is

an

encryption of

a

b

.Slide51

Homomorphic EncryptionSome Homomorphic FunctionsRSA: E(m) = me

mod

n

ElGamal

:

E

(

m,r

) = (

g

r

,mh

r

) mod

p

GM:

E

(

b,r

) =

r

2

g

b

mod

n

Benaloh:

E

(

m,r

) =

r

e

g

m

mod

n

Pallier

:

E

(

m,r

) =

r

n

g

m

mod

n

2Slide52

Alice

0

Bob

0

Carol

1

David

0

Eve

1

Homomorphic

ElectionsSlide53

Alice

0

Bob

0

Carol

1

David

0

Eve

1

 =

Homomorphic

ElectionsSlide54

Alice

0

Bob

0

Carol

1

David

0

Eve

1

 =

2

Homomorphic

ElectionsSlide55

Alice

0

Bob

0

Carol

1

David

0

Eve

1

Homomorphic

ElectionsSlide56

Alice

0

Bob

0

Carol

1

David

0

Eve

1

Homomorphic

ElectionsSlide57

Alice

0

Bob

0

Carol

1

David

0

Eve

1

=

2

Homomorphic

ElectionsSlide58

Alice

0

Bob

0

Carol

1

David

0

Eve

1

=

2

Homomorphic

ElectionsSlide59

Alice

0

Bob

0

Carol

1

David

0

Eve

1

=

2

Homomorphic

ElectionsSlide60

Alice

0

Bob

0

Carol

1

David

0

Eve

1

Multiple AuthoritiesSlide61

X

1

X

2

X

3

Alice

0

=

3

-5

2

Bob

0

=

-4

5

-1

Carol

1

=

2

-3

2

David

0

=

-2

-1

3

Eve

1

=

4

-1

-2

Multiple AuthoritiesSlide62

X

1

X

2

X

3

Alice

0

=

3

-5

2

Bob

0

=

-4

5

-1

Carol

1

=

2

-3

2

David

0

=

-2

-1

3

Eve

1

=

4

-1

-2

 =

 =

 =

Multiple AuthoritiesSlide63

X

1

X

2

X

3

Alice

0

=

3

-5

2

Bob

0

=

-4

5

-1

Carol

1

=

2

-3

2

David

0

=

-2

-1

3

Eve

1

=

4

-1

-2

 =

 =

 =

3

-5

4

Multiple AuthoritiesSlide64

X

1

X

2

X

3

Alice

0

=

3

-5

2

Bob

0

=

-4

5

-1

Carol

1

=

2

-3

2

David

0

=

-2

-1

3

Eve

1

=

4

-1

-2

 =

 =

 =

=

3

-5

4

Multiple AuthoritiesSlide65

X

1

X

2

X

3

Alice

0

=

3

-5

2

Bob

0

=

-4

5

-1

Carol

1

=

2

-3

2

David

0

=

-2

-1

3

Eve

1

=

4

-1

-2

 =

 =

 =

2

=

3

-5

4

Multiple AuthoritiesSlide66

X

1

X

2

X

3

Alice

0

=

3

-5

2

Bob

0

=

-4

5

-1

Carol

1

=

2

-3

2

David

0

=

-2

-1

3

Eve

1

=

4

-1

-2

 =

 =

 =

 =

2

=

3

-5

4

Multiple AuthoritiesSlide67

The sum of the shares of the votes constitute shares of the sum of the votes.Multiple AuthoritiesSlide68

X

1

X

2

X

3

Alice

0

=

3

-5

2

Bob

0

=

-4

5

-1

Carol

1

=

2

-3

2

David

0

=

-2

-1

3

Eve

1

=

4

-1

-2

 =

 =

 =

 =

2

=

3

-5

4

Multiple AuthoritiesSlide69

X

1

X

2

X

3

Alice

0

3

-5

2

Bob

0

-4

5

-1

Carol

1

2

-3

2

David

0

-2

-1

3

Eve

1

4

-1

-2

Multiple AuthoritiesSlide70

X

1

X

2

X

3

Alice

0

3

-5

2

Bob

0

-4

5

-1

Carol

1

2

-3

2

David

0

-2

-1

3

Eve

1

4

-1

-2

 =

 =

 =

Multiple AuthoritiesSlide71

X

1

X

2

X

3

Alice

0

3

-5

2

Bob

0

-4

5

-1

Carol

1

2

-3

2

David

0

-2

-1

3

Eve

1

4

-1

-2

 =

 =

 =

3

-5

4

Multiple AuthoritiesSlide72

X

1

X

2

X

3

Alice

0

3

-5

2

Bob

0

-4

5

-1

Carol

1

2

-3

2

David

0

-2

-1

3

Eve

1

4

-1

-2

 =

 =

 =

3

-5

4

Multiple AuthoritiesSlide73

X

1

X

2

X

3

Alice

0

3

-5

2

Bob

0

-4

5

-1

Carol

1

2

-3

2

David

0

-2

-1

3

Eve

1

4

-1

-2

 =

 =

 =

=

3

-5

4

Multiple AuthoritiesSlide74

X

1

X

2

X

3

Alice

0

3

-5

2

Bob

0

-4

5

-1

Carol

1

2

-3

2

David

0

-2

-1

3

Eve

1

4

-1

-2

 =

 =

 =

2

=

3

-5

4

Multiple AuthoritiesSlide75

Mix-Based ElectionsSlide76

Homomorphic

TallyingSlide77

The Mix-Net Paradigm

MIX

Vote

Vote

Vote

VoteSlide78

The Mix-Net Paradigm

MIX

Vote

Vote

Vote

VoteSlide79

Multiple MixesMIX

Vote

Vote

Vote

Vote

MIX

Slide80

Decryption Mix-netEach object is encrypted with a pre-determined set of encryption layers.Each mix, in pre-determined order performs a decryption to remove its associated layer.Slide81

Re-encryption Mix-netThe decryption and shuffling functions are decoupled.Mixes can be added or removed dynamically with robustness.Proofs of correct mixing can be published and independently verified.Slide82

Recall Homomorphic EncryptionWe can construct a public-key encryption function E such that if A is an

encryption of

a

and

B

is

an

encryption of

b

then

A

B

is

an

encryption of

a

b

.Slide83

Re-encryption (additive) A is an encryption of a and

Z

is

an

encryption of

0

then

A

Z

is

another

encryption of

a

.Slide84

Re-encryption (multiplicative) A is an encryption of a and

I

is

an

encryption of

1

then

A

I

is

another

encryption of

a

.Slide85

A Re-encryption MixMIXSlide86

A Re-encryption Mix

MIXSlide87

Re-encryption Mix-netsMIX

Vote

Vote

Vote

Vote

MIXSlide88

VerifiabilityEach re-encryption mix provides a mathematical proof that its output is a permutation of re-encryptions of its input.Any observer can verify this proof.The decryptions are also proven to be correct.If a mix’s proof is invalid, its mixing will be bypassed.Slide89

Faulty MixesMIX

Vote

Vote

Vote

Vote

MIXSlide90

Recent Mix Work1993 Park, Itoh, and Kurosawa1995 Sako and Kilian2001 Furukawa and Sako2001 Neff2002 Jakobsson, Juels, and Rivest2003 GrothSlide91

Input Ballot Set

Output Ballot Set

MIX

Re-encryption Mix OperationSlide92

MIX

Input Ballot Set

Output Ballot Set

Re-encryption Mix OperationSlide93

MIXRe-encryption Mix OperationSlide94

27182818

31415926

16180339

14142135

81828172

62951413

93308161

53124141

Inputs

Outputs

81828172

62951413

93308161

53124141

81828172

62951413

93308161

53124141

Re-encryption Mix OperationSlide95

Re-encryptionEach value is re-encrypted by multiplying it by an encryption of one.This can be done without knowing the decryptions.Slide96

27182818

31415926

16180339

14142135

81828172

62951413

93308161

53124141

Verifying a Re-encryption

MIX

27182818

31415926

16180339

14142135Slide97

A Simple Verifiable Re-encryption MixSlide98

Is This “Proof” Absolute?The proof can be “defeated” if and only if every left/right decision can be predicted by the prover in advance.If there are 100 intermediate ballot sets, the chance of this happening is 1 in 2100.Slide99

Who Chooses?If you choose, then you are convinced.But this won’t convince me.We can each make some of the choices.But this can be inefficient.We can co-operate on the choices.

But this is cumbersome.

We can agree on a random source.

But what source?Slide100

Who Chooses?The Fiat-Shamir HeuristicPrepare all of the ballot sets as above.Put all of the data into a one-way hash.Use the hash output to make the choices.This allows a proof of equivalence to be “published” by the mix.Slide101

AssumptionsA disadvantage of using Fiat-Shamir is that election integrity now requires a computational assumption – the assumption that the hash is “secure”.Voter privacy depends upon the quality of the encryption.Slide102

The EncryptionAnyone with the decryption key can read all of the votes – even before mixing.A threshold encryption scheme is used to distribute the decryption capabilities.Slide103

Randomized Partial Checking

MIXSlide104

Choose Any TwoWe have techniques to make verifiable tallying …Computationally EfficientConceptually SimpleExactSlide105

Most Verifiable Election ProtocolsStep 1Encrypt your vote and …How?Slide106

How do Humans Encrypt?If voters encrypt their votes with devices of their own choosing, they are subject to coercion and compromise.If voters encrypt their votes on “official” devices, how can they trust that their intentions have been properly captured?Slide107

The Human EncryptorWe need to find ways to engage humans in an interactive proof process to ensure that their intentions are accurately reflected in encrypted ballots cast on their behalf.Slide108

MarkPledge BallotAlice367248792

141

390

863

427

015

Bob

629

523

916

504

129

077

476

947

Carol

285

668

049

732

859

308

156

422

David

863

863

863

863

863

863

863

863

Eve

264

717

740

317

832

399

441

946Slide109

MarkPledge BallotAlice367248

792

141

390

863

427

015

Bob

629

523

916

504

129

077

476

947

Carol

285

668

049

732

859

308

156

422

David

863

863

863

863

863

863

863

863

Eve

264

717

740

317

832

399

441

946Slide110

MarkPledge BallotAlice367248

792

141

390

863

427

015

Bob

629

523

916

504

129

077

476

947

Carol

285

668

049

732

859

308

156

422

David

863

863

863

863

863

863

863

863

Eve

264

717

740

317

832

399

441

946

Device commitment to voter: “You’re candidate’s number is 863.”Slide111

MarkPledge BallotAlice367248

792

141

390

863

427

015

Bob

629

523

916

504

129

077

476

947

Carol

285

668

049

732

859

308

156

422

David

863

863

863

863

863

863

863

863

Eve

264

717

740

317

832

399

441

946

Device commitment to voter: “You’re candidate’s number is 863.”

Voter challenge: “Decrypt column number 5.”Slide112

MarkPledge BallotAlice367248

792

141

390

863

427

015

Bob

629

523

916

504

129

077

476

947

Carol

285

668

049

732

859

308

156

422

David

863

863

863

863

863

863

863

863

Eve

264

717

740

317

832

399

441

946

Device commitment to voter: “You’re candidate’s number is 863.”

Voter challenge: “Decrypt column number 5.”Slide113

MarkPledge BallotAlice367248792

141

390

863

427

015

Bob

629

523

916

504

129

077

476

947

Carol

285

668

049

732

859

308

156

422

David

863

863

863

863

863

863

863

863

Eve

264

717

740

317

832

399

441

946Slide114

Prêt à Voter BallotBob

Eve

Carol

Alice

David

17320508Slide115

Prêt à Voter BallotBob

Eve

Carol

Alice

X

David

17320508Slide116

Prêt à Voter Ballot

X

17320508Slide117

PunchScan BallotY – AliceX – Bob

X

Y

#001Slide118

PunchScan BallotY – AliceX – Bob

Y

X

#001Slide119

PunchScan BallotX – AliceY – Bob

Y

X

#001Slide120

PunchScan BallotX – AliceY – Bob

Y

X

#001Slide121

X – AliceY – BobPunchScan Ballot

#001

Y

#001

XSlide122

ScantegritySlide123

Three-BallotBallot

President

Alice

Bob

Charles

Vice President

David

Erica

r9>k*@0e!4$%

Ballot

President

Alice

Bob

Charles

Vice President

David

Erica

*t3]a&;nzs^_=

Ballot

President

Alice

Bob

Charles

Vice President

David

Erica

u)/+8c$@.?(Slide124

Voter-Initiated AuditingVoter can use “any” device to make selections (touch-screen DRE, OpScan, etc.)After selections are made, voter receives an encrypted receipt of the ballot.Slide125

Voter-Initiated AuditingVoter choice: Cast or Challenge

734922031382

Encrypted VoteSlide126

CastVoter-Initiated Auditing

734922031382

Encrypted VoteSlide127

Voter-Initiated AuditingChallenge

734922031382

Vote for

Alice

Random # is

28637582738Slide128

Voter-Initiated AuditingWhen instantiated on an electronic voting device (DRE), it looks like Helios.When instantiated on an optical scanner, you get Verified Optical Scan.Slide129

Verified Optical ScanBallot format is identical to current optical scan.No special marksIdentical ballots are fineSlide130

Verified Optical ScanAn Enhanced Ballot ScannerCapable of reading a ballot’s contents and conditionally returning itEquipped withReceipt PrinterSmall DisplayAt Least Two “Choice” ButtonsSlide131

Verified Optical ScanThe Ideal Ballot ScannerIt is desirable (although not required) that the ballot scanner have the ability to print directly onto the ballot paper.This enables the scanner to print its interpretation of the ballot contents directly onto the ballot.Slide132

The Verified OpScan Voting ProcessVoter prepares an optical scan ballot in a conventional manner.Voter inserts the marked ballot into an optical scanner.Scanner encrypts ballot contents and prints signed copy of encryption together with time, scanner ID, seq #.Slide133

Voter OptionsVoter is given the following options.Cast this ballot.Modify this ballot.Cancel this ballot.Slide134

The “Cast” OptionIf the voter chooses to cast the ballotThe scanner’s interpretation of the ballot’s contents are printed onto ballot.The scanner adds an additional signature and hash fingerprint to the paper receipt indicating that the ballot has been cast.Voter takes receipt home.Slide135

The “Modify” OptionIf the voter chooses to modify this ballotThe ballot is returned to the voter without any additional marks.The voter is allowed to take the receipt, but it will serve no value.Slide136

The “Cancel” OptionIf the voter chooses to cancel this ballotThe scanner’s interpretation of the ballot’s contents are printed onto ballot.An additional mark is printed onto the ballot to indicate it is VOID for casting.A signed verifiable decryption and hash fingerprint are added to printed receipt.Slide137

VerificationVoters can check that their encrypted ballots are properly posted.Voters and others can check that the back-end tallying is properly performed.Voters and others can check that cancelled ballots are properly decrypted.Slide138

BenefitsAddition of an Independent Audit PathBlocking of Conspiratorial ThreatsDetection of Inadvertent Scanner ErrorsSlide139

ThreatsCryptographic CompromiseCovert ChannelsCoercionBallot Addition/Deletion/SubstitutionEncrypted Ballot DuplicationSlide140

Reduced FunctionalityNo receipt printerHash codes can be displayed insteadNo displayTwo marked buttons (Cast or Cancel) sufficeNo ability to print onto ballots

Voters must be prevented from casting previously cancelled ballotsSlide141

Partial ImplementationImplementing this front end system without a cryptographic back-end still catches many faulty scanners and allows voters to check that their votes have been properly recorded.Slide142

Incremental ImprovementsMany of these measures are simple improvements that offer benefits even if not used with truly “end to end” publically verifiable systems.Slide143

The Greater Whole …When enough of these improvements are implemented, we can obtain the benefits of public verifiability without sacrificing the comfort we often have in good administrative verifiability.Slide144

Ballot Casting AssuranceThe voter front ends shown here differ in both their human factors qualities and the level of assurance that they offer.All are feasible and provide greater integrity than current methods.Slide145

Real-World DeploymentsHelios (www.heliosvoting.org) – Ben Adida and othersRemote electronic voting system using voter-initiated auditing and homomorphic backend.Used to elect president of UC Louvain, Belgium.Used in Princeton University student government.Used to elect IACR Board of Directors.Scantegrity II (www.scantegrity.org) – David Chaum, Ron Rivest, many others.Optical scan system with codes revealed by invisible ink markers and “plugboard-mixnet” backend.

Used for municipal elections in Takoma Park, MD.Slide146

What’s Left?Front EndThere is great value in continuing work on the user-facing front end.The front end should beSimpler to useSimpler to understandHigher assuranceSlide147

What’s Left?Back EndSimple counting methods are well-understood with effective techniques.More complex counting methods create substantial challenges –Maintaining strong privacyKeeping computations efficientSlide148

Is There any Deployment Hope?The U.S. Election Assistance Commission is considering new guidelines.These guidelines explicitly include an “innovation class” which could be satisfied by truly verifiable election systems.Election supervisors must choose to take this opportunity to change the paradigm.Slide149

Questions?