Election Technologies How Elections Should Be Run Josh Benaloh Senior Cryptographer Microsoft Research Traditional Voting Methods Traditional Voting Methods HandCounted Paper Traditional Voting Methods ID: 587297
Download Presentation The PPT/PDF document "Verifiable" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
VerifiableElectionTechnologiesHow Elections Should Be Run
Josh
Benaloh
Senior Cryptographer
Microsoft ResearchSlide2Slide3Slide4Slide5Slide6Slide7Slide8Slide9
Traditional Voting MethodsSlide10
Traditional Voting MethodsHand-Counted PaperSlide11
Traditional Voting MethodsHand-Counted PaperPunch CardsSlide12
Traditional Voting MethodsHand-Counted PaperPunch CardsLever MachinesSlide13
Traditional Voting MethodsHand-Counted PaperPunch CardsLever MachinesOptical Scan BallotsSlide14
Traditional Voting MethodsHand-Counted PaperPunch CardsLever MachinesOptical Scan BallotsElectronic Voting MachinesSlide15
Traditional Voting MethodsHand-Counted PaperPunch CardsLever MachinesOptical Scan BallotsElectronic Voting MachinesTouch-Screen TerminalsSlide16
Traditional Voting MethodsHand-Counted PaperPunch CardsLever MachinesOptical Scan BallotsElectronic Voting MachinesTouch-Screen TerminalsVarious HybridsSlide17
Vulnerabilities and TrustAll of these systems have substantial vulnerabilities.All of these systems require trust in the honesty and expertise of election officials (and usually the equipment vendors as well).Can we do better?Slide18
The Voter’s PerspectiveSlide19
The Voter’s PerspectiveSlide20
The Voter’s PerspectiveSlide21
The Voter’s PerspectiveSlide22
The Voter’s PerspectiveSlide23
The Voter’s PerspectiveSlide24
The Voter’s PerspectiveSlide25
The Voter’s PerspectiveSlide26
The Voter’s PerspectiveAs a voter, you don’t really know what happens behind the curtain.You have no choice but to trust the people working behind the curtain.You don’t even get to choose the people who you will have to trust.Slide27
Fully-Verifiable Election Technologies(End-to-End Verifiable)Allows voters to track their individual (sealed) votes and ensure that they are properly counted…… even in the presence of faulty or malicious election equipment …… and/or careless or dishonest election personnel.Slide28
Voters can check …… that their (sealed) votes have been properly recorded… and that all recorded votes have been properly countedThis is not just checking a claim that the right steps have been taken …This is actually a check that the counting is correct.Slide29
Where is My Vote?Slide30
Where is My Vote?Slide31
End-to-End Voter-VerifiabilityAs a voter, I can be sure that My vote isCast as intendedCounted as castAll votes are counted as cast… without having to trust anyone or anything.Slide32
But wait …This isn’t a secret-ballot election.Quite true, but it’s enough to show that voter-verifiability is possible … and also to falsify arguments that electronic elections are inherently untrustworthy.Slide33
PrivacyThe only ingredient missing from this transparent election is privacy – and the things which flow from privacy (e.g. protection from coercion).Performing tasks while preserving privacy is the bailiwick of cryptography.Cryptographic techniques can enable end-to-end verifiable elections while preserving voter privacy.Slide34
Where is My Vote?Slide35
Where is
My
Vote?Slide36
Where is My Vote?Slide37
Where is My Vote?Slide38
Where is My Vote?No – 2Yes – 1Slide39
End-to-End Voter-VerifiabilityAs a voter, I can be sure that My vote isCast as intendedCounted as castAll votes are counted as cast… without having to trust anyone or anything.Slide40
End-to-End Verifiable ElectionsAnyone who cares to do so canCheck that their own encrypted votes are correctly listedCheck that other voters are legitimateCheck the cryptographic proof of the correctness of the announced tallySlide41
End-to-End Verifiable ElectionsTwo questions must be answered …How do voters turn their preferences into encrypted votes?How are voters convinced that the published set of encrypted votes corresponds the announced tally?Slide42
Is it Really This Easy?Yes …… but there are lots of details to get right.Slide43
Some Important DetailsHow is the ballot encryption and decryption done?How is the cryptographic proof of the tally done?Slide44
Secure MPC is not EnoughSecure Multi-Party Computation allows any public function to be computed on any number of private inputs without compromising the privacy of the inputs.But secure MPC does not prevent parties from revealing their private inputs if they so choose.Slide45
End-to-End Verifiable ElectionsTwo principle phases …Voters publish their names and encrypted votes.At the end of the election, administrators compute and publish the tally together with a cryptographic proof that the tally “matches” the set of encrypted votes.Slide46
Fundamental Tallying DecisionThere are essentially two paradigms to choose from …Anonymized Ballots (Mix Networks)Ballotless Tallying
(
Homomorphic
Encryption)Slide47
Anonymized BallotsSlide48
Ballotless TallyingSlide49
Pros and Cons of BallotsBallots simplify write-ins.Ballots make it harder to enforce privacy – especially in complex counting scenarios.Slide50
Homomorphic EncryptionWe can construct a public-key encryption function E such that if A is an encryption of
a
and
B
is
an
encryption of
b
then
A
B
is
an
encryption of
a
b
.Slide51
Homomorphic EncryptionSome Homomorphic FunctionsRSA: E(m) = me
mod
n
ElGamal
:
E
(
m,r
) = (
g
r
,mh
r
) mod
p
GM:
E
(
b,r
) =
r
2
g
b
mod
n
Benaloh:
E
(
m,r
) =
r
e
g
m
mod
n
Pallier
:
E
(
m,r
) =
r
n
g
m
mod
n
2Slide52
Alice
0
Bob
0
Carol
1
David
0
Eve
1
Homomorphic
ElectionsSlide53
Alice
0
Bob
0
Carol
1
David
0
Eve
1
=
Homomorphic
ElectionsSlide54
Alice
0
Bob
0
Carol
1
David
0
Eve
1
=
2
Homomorphic
ElectionsSlide55
Alice
0
Bob
0
Carol
1
David
0
Eve
1
Homomorphic
ElectionsSlide56
Alice
0
Bob
0
Carol
1
David
0
Eve
1
Homomorphic
ElectionsSlide57
Alice
0
Bob
0
Carol
1
David
0
Eve
1
=
2
Homomorphic
ElectionsSlide58
Alice
0
Bob
0
Carol
1
David
0
Eve
1
=
2
Homomorphic
ElectionsSlide59
Alice
0
Bob
0
Carol
1
David
0
Eve
1
=
2
Homomorphic
ElectionsSlide60
Alice
0
Bob
0
Carol
1
David
0
Eve
1
Multiple AuthoritiesSlide61
X
1
X
2
X
3
Alice
0
=
3
-5
2
Bob
0
=
-4
5
-1
Carol
1
=
2
-3
2
David
0
=
-2
-1
3
Eve
1
=
4
-1
-2
Multiple AuthoritiesSlide62
X
1
X
2
X
3
Alice
0
=
3
-5
2
Bob
0
=
-4
5
-1
Carol
1
=
2
-3
2
David
0
=
-2
-1
3
Eve
1
=
4
-1
-2
=
=
=
Multiple AuthoritiesSlide63
X
1
X
2
X
3
Alice
0
=
3
-5
2
Bob
0
=
-4
5
-1
Carol
1
=
2
-3
2
David
0
=
-2
-1
3
Eve
1
=
4
-1
-2
=
=
=
3
-5
4
Multiple AuthoritiesSlide64
X
1
X
2
X
3
Alice
0
=
3
-5
2
Bob
0
=
-4
5
-1
Carol
1
=
2
-3
2
David
0
=
-2
-1
3
Eve
1
=
4
-1
-2
=
=
=
=
3
-5
4
Multiple AuthoritiesSlide65
X
1
X
2
X
3
Alice
0
=
3
-5
2
Bob
0
=
-4
5
-1
Carol
1
=
2
-3
2
David
0
=
-2
-1
3
Eve
1
=
4
-1
-2
=
=
=
2
=
3
-5
4
Multiple AuthoritiesSlide66
X
1
X
2
X
3
Alice
0
=
3
-5
2
Bob
0
=
-4
5
-1
Carol
1
=
2
-3
2
David
0
=
-2
-1
3
Eve
1
=
4
-1
-2
=
=
=
=
2
=
3
-5
4
Multiple AuthoritiesSlide67
The sum of the shares of the votes constitute shares of the sum of the votes.Multiple AuthoritiesSlide68
X
1
X
2
X
3
Alice
0
=
3
-5
2
Bob
0
=
-4
5
-1
Carol
1
=
2
-3
2
David
0
=
-2
-1
3
Eve
1
=
4
-1
-2
=
=
=
=
2
=
3
-5
4
Multiple AuthoritiesSlide69
X
1
X
2
X
3
Alice
0
3
-5
2
Bob
0
-4
5
-1
Carol
1
2
-3
2
David
0
-2
-1
3
Eve
1
4
-1
-2
Multiple AuthoritiesSlide70
X
1
X
2
X
3
Alice
0
3
-5
2
Bob
0
-4
5
-1
Carol
1
2
-3
2
David
0
-2
-1
3
Eve
1
4
-1
-2
=
=
=
Multiple AuthoritiesSlide71
X
1
X
2
X
3
Alice
0
3
-5
2
Bob
0
-4
5
-1
Carol
1
2
-3
2
David
0
-2
-1
3
Eve
1
4
-1
-2
=
=
=
3
-5
4
Multiple AuthoritiesSlide72
X
1
X
2
X
3
Alice
0
3
-5
2
Bob
0
-4
5
-1
Carol
1
2
-3
2
David
0
-2
-1
3
Eve
1
4
-1
-2
=
=
=
3
-5
4
Multiple AuthoritiesSlide73
X
1
X
2
X
3
Alice
0
3
-5
2
Bob
0
-4
5
-1
Carol
1
2
-3
2
David
0
-2
-1
3
Eve
1
4
-1
-2
=
=
=
=
3
-5
4
Multiple AuthoritiesSlide74
X
1
X
2
X
3
Alice
0
3
-5
2
Bob
0
-4
5
-1
Carol
1
2
-3
2
David
0
-2
-1
3
Eve
1
4
-1
-2
=
=
=
2
=
3
-5
4
Multiple AuthoritiesSlide75
Mix-Based ElectionsSlide76
Homomorphic
TallyingSlide77
The Mix-Net Paradigm
MIX
Vote
Vote
Vote
VoteSlide78
The Mix-Net Paradigm
MIX
Vote
Vote
Vote
VoteSlide79
Multiple MixesMIX
Vote
Vote
Vote
Vote
MIX
Slide80
Decryption Mix-netEach object is encrypted with a pre-determined set of encryption layers.Each mix, in pre-determined order performs a decryption to remove its associated layer.Slide81
Re-encryption Mix-netThe decryption and shuffling functions are decoupled.Mixes can be added or removed dynamically with robustness.Proofs of correct mixing can be published and independently verified.Slide82
Recall Homomorphic EncryptionWe can construct a public-key encryption function E such that if A is an
encryption of
a
and
B
is
an
encryption of
b
then
A
B
is
an
encryption of
a
b
.Slide83
Re-encryption (additive) A is an encryption of a and
Z
is
an
encryption of
0
then
A
Z
is
another
encryption of
a
.Slide84
Re-encryption (multiplicative) A is an encryption of a and
I
is
an
encryption of
1
then
A
I
is
another
encryption of
a
.Slide85
A Re-encryption MixMIXSlide86
A Re-encryption Mix
MIXSlide87
Re-encryption Mix-netsMIX
Vote
Vote
Vote
Vote
MIXSlide88
VerifiabilityEach re-encryption mix provides a mathematical proof that its output is a permutation of re-encryptions of its input.Any observer can verify this proof.The decryptions are also proven to be correct.If a mix’s proof is invalid, its mixing will be bypassed.Slide89
Faulty MixesMIX
Vote
Vote
Vote
Vote
MIXSlide90
Recent Mix Work1993 Park, Itoh, and Kurosawa1995 Sako and Kilian2001 Furukawa and Sako2001 Neff2002 Jakobsson, Juels, and Rivest2003 GrothSlide91
Input Ballot Set
Output Ballot Set
MIX
Re-encryption Mix OperationSlide92
MIX
Input Ballot Set
Output Ballot Set
Re-encryption Mix OperationSlide93
MIXRe-encryption Mix OperationSlide94
27182818
31415926
16180339
14142135
81828172
62951413
93308161
53124141
Inputs
Outputs
81828172
62951413
93308161
53124141
81828172
62951413
93308161
53124141
Re-encryption Mix OperationSlide95
Re-encryptionEach value is re-encrypted by multiplying it by an encryption of one.This can be done without knowing the decryptions.Slide96
27182818
31415926
16180339
14142135
81828172
62951413
93308161
53124141
Verifying a Re-encryption
MIX
27182818
31415926
16180339
14142135Slide97
A Simple Verifiable Re-encryption MixSlide98
Is This “Proof” Absolute?The proof can be “defeated” if and only if every left/right decision can be predicted by the prover in advance.If there are 100 intermediate ballot sets, the chance of this happening is 1 in 2100.Slide99
Who Chooses?If you choose, then you are convinced.But this won’t convince me.We can each make some of the choices.But this can be inefficient.We can co-operate on the choices.
But this is cumbersome.
We can agree on a random source.
But what source?Slide100
Who Chooses?The Fiat-Shamir HeuristicPrepare all of the ballot sets as above.Put all of the data into a one-way hash.Use the hash output to make the choices.This allows a proof of equivalence to be “published” by the mix.Slide101
AssumptionsA disadvantage of using Fiat-Shamir is that election integrity now requires a computational assumption – the assumption that the hash is “secure”.Voter privacy depends upon the quality of the encryption.Slide102
The EncryptionAnyone with the decryption key can read all of the votes – even before mixing.A threshold encryption scheme is used to distribute the decryption capabilities.Slide103
Randomized Partial Checking
MIXSlide104
Choose Any TwoWe have techniques to make verifiable tallying …Computationally EfficientConceptually SimpleExactSlide105
Most Verifiable Election ProtocolsStep 1Encrypt your vote and …How?Slide106
How do Humans Encrypt?If voters encrypt their votes with devices of their own choosing, they are subject to coercion and compromise.If voters encrypt their votes on “official” devices, how can they trust that their intentions have been properly captured?Slide107
The Human EncryptorWe need to find ways to engage humans in an interactive proof process to ensure that their intentions are accurately reflected in encrypted ballots cast on their behalf.Slide108
MarkPledge BallotAlice367248792
141
390
863
427
015
Bob
629
523
916
504
129
077
476
947
Carol
285
668
049
732
859
308
156
422
David
863
863
863
863
863
863
863
863
Eve
264
717
740
317
832
399
441
946Slide109
MarkPledge BallotAlice367248
792
141
390
863
427
015
Bob
629
523
916
504
129
077
476
947
Carol
285
668
049
732
859
308
156
422
David
863
863
863
863
863
863
863
863
Eve
264
717
740
317
832
399
441
946Slide110
MarkPledge BallotAlice367248
792
141
390
863
427
015
Bob
629
523
916
504
129
077
476
947
Carol
285
668
049
732
859
308
156
422
David
863
863
863
863
863
863
863
863
Eve
264
717
740
317
832
399
441
946
Device commitment to voter: “You’re candidate’s number is 863.”Slide111
MarkPledge BallotAlice367248
792
141
390
863
427
015
Bob
629
523
916
504
129
077
476
947
Carol
285
668
049
732
859
308
156
422
David
863
863
863
863
863
863
863
863
Eve
264
717
740
317
832
399
441
946
Device commitment to voter: “You’re candidate’s number is 863.”
Voter challenge: “Decrypt column number 5.”Slide112
MarkPledge BallotAlice367248
792
141
390
863
427
015
Bob
629
523
916
504
129
077
476
947
Carol
285
668
049
732
859
308
156
422
David
863
863
863
863
863
863
863
863
Eve
264
717
740
317
832
399
441
946
Device commitment to voter: “You’re candidate’s number is 863.”
Voter challenge: “Decrypt column number 5.”Slide113
MarkPledge BallotAlice367248792
141
390
863
427
015
Bob
629
523
916
504
129
077
476
947
Carol
285
668
049
732
859
308
156
422
David
863
863
863
863
863
863
863
863
Eve
264
717
740
317
832
399
441
946Slide114
Prêt à Voter BallotBob
Eve
Carol
Alice
David
17320508Slide115
Prêt à Voter BallotBob
Eve
Carol
Alice
X
David
17320508Slide116
Prêt à Voter Ballot
X
17320508Slide117
PunchScan BallotY – AliceX – Bob
X
Y
#001Slide118
PunchScan BallotY – AliceX – Bob
Y
X
#001Slide119
PunchScan BallotX – AliceY – Bob
Y
X
#001Slide120
PunchScan BallotX – AliceY – Bob
Y
X
#001Slide121
X – AliceY – BobPunchScan Ballot
#001
Y
#001
XSlide122
ScantegritySlide123
Three-BallotBallot
President
Alice
Bob
Charles
Vice President
David
Erica
r9>k*@0e!4$%
Ballot
President
Alice
Bob
Charles
Vice President
David
Erica
*t3]a&;nzs^_=
Ballot
President
Alice
Bob
Charles
Vice President
David
Erica
u)/+8c$@.?(Slide124
Voter-Initiated AuditingVoter can use “any” device to make selections (touch-screen DRE, OpScan, etc.)After selections are made, voter receives an encrypted receipt of the ballot.Slide125
Voter-Initiated AuditingVoter choice: Cast or Challenge
734922031382
Encrypted VoteSlide126
CastVoter-Initiated Auditing
734922031382
Encrypted VoteSlide127
Voter-Initiated AuditingChallenge
734922031382
Vote for
Alice
Random # is
28637582738Slide128
Voter-Initiated AuditingWhen instantiated on an electronic voting device (DRE), it looks like Helios.When instantiated on an optical scanner, you get Verified Optical Scan.Slide129
Verified Optical ScanBallot format is identical to current optical scan.No special marksIdentical ballots are fineSlide130
Verified Optical ScanAn Enhanced Ballot ScannerCapable of reading a ballot’s contents and conditionally returning itEquipped withReceipt PrinterSmall DisplayAt Least Two “Choice” ButtonsSlide131
Verified Optical ScanThe Ideal Ballot ScannerIt is desirable (although not required) that the ballot scanner have the ability to print directly onto the ballot paper.This enables the scanner to print its interpretation of the ballot contents directly onto the ballot.Slide132
The Verified OpScan Voting ProcessVoter prepares an optical scan ballot in a conventional manner.Voter inserts the marked ballot into an optical scanner.Scanner encrypts ballot contents and prints signed copy of encryption together with time, scanner ID, seq #.Slide133
Voter OptionsVoter is given the following options.Cast this ballot.Modify this ballot.Cancel this ballot.Slide134
The “Cast” OptionIf the voter chooses to cast the ballotThe scanner’s interpretation of the ballot’s contents are printed onto ballot.The scanner adds an additional signature and hash fingerprint to the paper receipt indicating that the ballot has been cast.Voter takes receipt home.Slide135
The “Modify” OptionIf the voter chooses to modify this ballotThe ballot is returned to the voter without any additional marks.The voter is allowed to take the receipt, but it will serve no value.Slide136
The “Cancel” OptionIf the voter chooses to cancel this ballotThe scanner’s interpretation of the ballot’s contents are printed onto ballot.An additional mark is printed onto the ballot to indicate it is VOID for casting.A signed verifiable decryption and hash fingerprint are added to printed receipt.Slide137
VerificationVoters can check that their encrypted ballots are properly posted.Voters and others can check that the back-end tallying is properly performed.Voters and others can check that cancelled ballots are properly decrypted.Slide138
BenefitsAddition of an Independent Audit PathBlocking of Conspiratorial ThreatsDetection of Inadvertent Scanner ErrorsSlide139
ThreatsCryptographic CompromiseCovert ChannelsCoercionBallot Addition/Deletion/SubstitutionEncrypted Ballot DuplicationSlide140
Reduced FunctionalityNo receipt printerHash codes can be displayed insteadNo displayTwo marked buttons (Cast or Cancel) sufficeNo ability to print onto ballots
Voters must be prevented from casting previously cancelled ballotsSlide141
Partial ImplementationImplementing this front end system without a cryptographic back-end still catches many faulty scanners and allows voters to check that their votes have been properly recorded.Slide142
Incremental ImprovementsMany of these measures are simple improvements that offer benefits even if not used with truly “end to end” publically verifiable systems.Slide143
The Greater Whole …When enough of these improvements are implemented, we can obtain the benefits of public verifiability without sacrificing the comfort we often have in good administrative verifiability.Slide144
Ballot Casting AssuranceThe voter front ends shown here differ in both their human factors qualities and the level of assurance that they offer.All are feasible and provide greater integrity than current methods.Slide145
Real-World DeploymentsHelios (www.heliosvoting.org) – Ben Adida and othersRemote electronic voting system using voter-initiated auditing and homomorphic backend.Used to elect president of UC Louvain, Belgium.Used in Princeton University student government.Used to elect IACR Board of Directors.Scantegrity II (www.scantegrity.org) – David Chaum, Ron Rivest, many others.Optical scan system with codes revealed by invisible ink markers and “plugboard-mixnet” backend.
Used for municipal elections in Takoma Park, MD.Slide146
What’s Left?Front EndThere is great value in continuing work on the user-facing front end.The front end should beSimpler to useSimpler to understandHigher assuranceSlide147
What’s Left?Back EndSimple counting methods are well-understood with effective techniques.More complex counting methods create substantial challenges –Maintaining strong privacyKeeping computations efficientSlide148
Is There any Deployment Hope?The U.S. Election Assistance Commission is considering new guidelines.These guidelines explicitly include an “innovation class” which could be satisfied by truly verifiable election systems.Election supervisors must choose to take this opportunity to change the paradigm.Slide149
Questions?