Transcript Pret a Voter

Beyond Prêt à Voter
Peter Y A Ryan
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
1
Credits
• With thanks to:
–
–
–
–
–
–
–
–
–
David Chaum
Michael Clarkson
James Heather
Michael Jackson
Thea Peacock
Brian Randell
Ron Rivest
Steve Schneider
and many others….
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
2
Outline
•
•
•
•
Outline of Prêt à Voter “Classic”
Prêt à Voter with re-encryption mixes
Vulnerabilities and counter-measures
Open questions and future work
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
3
The Requirements
• Key requirements/desiderata (informal and incomplete):
– Integrity/accuracy.
– Ballot secrecy.
– Voter verifiability: the voter should be able to confirm that their
vote is accurately included in the count and prove to a 3rd party if
it is not (whilst not revealing their vote).
– Minimal dependence on (trust in) system components.
– Availability.
– No early results.
– Public confidence.
– Usability
– …….
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
4
Assumptions
• For the purposes of the talk I will make many
sweeping assumptions, e.g.,:
– An accurate electoral register is maintained.
– Mechanisms are in place to ensure that voters can be
properly authenticated.
– Mechanisms are in place to prevent double voting.
– Existence of a secure Web Bulletin Board.
– Etc.
• Note: Supervised rather than remote.
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
5
Voter-verifiability in a nutshell
• Voters are provided with an encrypted “receipt” and are
able to verify the decryption in the booth.
• Copies of the receipts are posted to a web bulletin
board. Voters can verify that their (encrypted) receipt is
correctly posted.
• Tellers perform a robust anonymising mix on the batch of
posted receipts, revealing the decrypted votes at the
end.
• Checks are performed at each stage to catch any
attempt to decouple the encryption on the receipt from
the decryption performed by the tellers.
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
6
Prêt à Voter
• Uses pre-prepared ballot forms that encode the
vote in familiar form (an  against the chosen
candidate).
• The candidate list is (independently) randomised
for each ballot form.
• Information allowing the candidate list to be
reconstructed is buried cryptographically in an
“onion” on each form.
• An excess number of forms are generated to
allow for random auditing, before, during and
after the election.
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
7
Example (single candidate choice)
• Each ballot form has a unique, secret, random
seed s
• For each form, a permutation of the candidate
list is computed as a publicly known function of
this seed.
• The seed information is buried cryptographically
using public keys of a number of tellers in an
“onion” printed on the form.
• The seed can only be extracted by the collective
actions of tellers, or suitable subset if a threshold
scheme is used.
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
8
Typical Ballot Sheet
Epicurus
Democritus
Aristotle
Socrates
Plato
$rJ9*mn4R&8
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
9
Voter marks their choice
Epicurus
Democritus

Aristotle
Socrates
Plato
$rJ9*mn4R&8
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
10
Voter’s Ballot Receipt

$rJ9*mn4R&8
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
11
Voter casts her vote
• Once the voter has made their choice, the LH strip is
detached and discarded.
• RH strip constitutes the receipt which is fed into a device
that reads the information on the right hand strip.
• The device will transmit a digital copy of the receipt (the
RH strip) to a central server, as a pair (r, Onion), for
posting to the web bulletin board.
• The RH strip is returned to Anne (digitally signed and
franked).
• Here r (Zv ) is the index value that encodes the position
of the .
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
12
Remarks
• Note that the receipt reveals nothing about the vote.
• The onion carries the crypto seed, encrypted with the teller’s public
keys, that (a subset of) the tellers use to reconstruct the permutation
of the candidate list.
• Without all of these secret keys (or an appropriate subset) the
candidate list cannot be reconstructed and hence the vote value
cannot be recovered.
• Vote is not directly encrypted, rather the frame of reference, i.e., the
candidate list, is randomised and information defining the frame is
encrypted.
• A VVPAT style mechanism can be incorporated.
• The voter choice must be made in isolation.
• Casting an encrypted ballot can be done in the presence of an
official, i.e., does have to be in isolation.
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
13
Anonymisation and tabulation
• Once the election has closed and all receipts
have been posted to the WBB, a set of tellers
perform a robust anonymising mix on the
receipts:
– Receipts are decrypted by stages and undergo
multiple secret shuffles. Intermediate stages are also
posted to the WBB for audit.
– Tellers transform the “r” index value. The final “r”
values that emerge from the mix give the raw vote
value in the canonical basis.
– Any link between the original receipts and the
decrypted values will be lost.
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
14
Seeds and offsets
• Suppose that we have k tellers. Each teller has two
public key pairs. For each ballot form 2k random germs
are generated:
gi,ZN (some modest size N, e.g., 232)
• The seed value is taken to be the sequence of these
germ g values:
Seed:= g0,g1,g2,g3, ….....g2k-1
• These germs are now crypto hashed and taken modulo
v:
di := hash(gi) (mod v) i= 0,1,2,……,2k-1
• And the candidate list offset  is given by the sum
modulo v of these:
 :=  i=02k-1 di (mod v)
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
15
Onion construction
• The germs are buried in the 2k layers of the
onion:
• D0 is a random value, unique to each ballot form.
Then:
Di+1 := {gi ,Di,}PKTi, , i= 0,…., 2k-1
Onion := D2k
• Thus:
Onion := {g2k-1 ,{g2k-1 ,{…..,{g2,{g1,{g0, D0 }PKT_0 }PKT_1
}PKT_2…..}PKT_2k-2 }PKT_2k-2 }PKT_2k-1
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
16
Batch 1
Batch 2
Teller 1
Frontiers of Electronic Elections
Milan, 16 September 2005
Batch 3
Teller 1'
P Y A Ryan
Prêt à Voter
19
What can go wrong…
• For the accuracy requirement:
– Ballot forms may be incorrectly constructed, leading
to incorrect decryption of the vote
– Ballot receipts could be corrupted before they are
entered in the tabulation process.
– Tellers may perform the decryption incorrectly.
• We now discuss the counter-measures to these
threats.
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
20
Checking the ballot forms
• We need to check that the seed buried in the
onion does correspond to the candidate
permutation shown on the ballot form.
• Checks can be performed by auditors and the
voters to catch such corruption:
– Random audits of ballot forms performed before,
during and after the election period by the Electoral
Reform Soc etc.
– Voters could also be invited to perform similar checks
on randomly selected “dummy” forms. For example,
voters could be invited to randomly select a pair of
forms, one to check, one to cast their vote.
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
21
Auditing ballot forms
• To check the construction of the ballot forms the values
on the form, onion and candidate ordering, can be
reconstructed if the seed value is revealed.
• One of the innovations of Prêt à Voter is to use the
tellers in an on-demand mode to reveal the secret seed
value buried in the onion. Avoids problems with storing
and selectively revealing seeds.
• Note, for this checking process, the tellers are used in an
on-demand basis before and during the election-quite
different to the batch mode for the anonymising mix after
the election has closed.
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
22
Ballot form checking modes
•
In fact, this oracle teller mode suggests several ways
for voters to check the well-formedness of ballot forms:
1. Simple, single dummy vote
2. Multiple or ranked dummy vote
3. Given the onion value, the tellers return the candidate ordering
•
•
Note: vulnerable to authority/tellers collusion attacks.
The auditor checks are the more rigorous: not
vulnerable to authority/teller collusions.
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
23
Recording and transmission
• To check that receipts are accurately
recorded and input into the mix:
• Voters can visit the WBB and check that
their receipt appears correctly recorded.
• Voter checks can be supplemented by
independent audit authorities checking the
WBB against the VVPAT style record of
ballot receipts (also useful to recount and
recovery).
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
24
Auditing the tellers
• Partial Random Checking of the teller transformations:
auditor randomly selects half the of the links to be
revealed and checked, but in such a way as not to reveal
any links across the two transformations performed by
the teller.
• Go down middle WBB column for each teller and
randomly assign ► or ◄ to each pair.
• For a ►(◄), the tellers reveal the outgoing (incoming)
link along with the associated re-encryption
randomisation values.
• Note: because no complete paths across a given teller’s
pair of mixes are revealed by the audit process, we can
audit the tellers independently.
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
25
Auditing the tellers
Frontiers of Electronic Elections
Milan, 16 September 2005
TellerP Y1A Ryan
Prêt à Voter
Teller 1'
26
Advantages of Prêt à Voter
• Voter experience simple and familiar.
• Ballot form commitments and checks made
before election opens  neater recovery
strategies.
• The vote recording device doesn’t get to learn
the vote.
• Votes are not directly encrypted, just the frame
of reference.
• Highly flexible.
• Adaptable to remote voting (see talk by Michael
Clarkson).
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
27
Enhancements
• Re-encryption mixes
• Distributed generation of ballot forms.
• Concealment of onion/candidate list
associations.
• Separation of teller modes.
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
28
Re-encryption mixes
• Prêt à Voter Classic uses Chaumian (decryption) mixes.
• Alternatives:
– re-encryption mixes.
– Homomorphism schemes etc..
• Advantages of re-encryption:
– Tellers inject fresh entropy at each stage, hence onion size doesn’t grow
with number of tellers and germ size.
– Less dependence on availability of tellers: a faulty mix teller can just be
binned and replaced.
– Full mixing over the El Gamal group.
– Clean separation of mixing and decryption stages.
– Mixes and audits can be rerun afresh.
• Downsides:
– Need shuffle commitments.
– Tricky to mesh with Prêt à Voter.
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
29
Re-encryption mixes
•
Prêt à Voter’s rather special representation of the vote
in the receipts makes it tricky to mesh with reencryption mixes. Some possible approaches:
1.
2.
3.
4.
5.
6.
7.
Leave r terms unchanged through the mixes.
Follow re-encryption mixes with Chaumian decryption mixes.
Absorb the r into the onion value
transform both r and D terms leaving vote value invariant – but
seems to necessitate malleable encryption.
Add teller transforms to the index values, storing the entropy in
an extra (pre-generated and audited) “onion” value.
Primitive for which only orbits of the local permutation group
can be generated (“slightly malleable”).
Use zero-knowledge/crypto-homomorphism mixes-but looses
the conceptual simplicity of the PRC approach (and linear
scaling behaviour).
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
30
Discussion
• Option 1: allows the adversary to partition the mix
according the index value, but might be okay where the
number of voters vastly exceeds the number of ballot
options.
• Option 2: again the re-encryption mix can be partitioned.
Might be a reasonable compromise.
• Options 3 and 4: seems to work nicely but appears to
necessitate malleable encryption for the terms that move
through the mix. Not clear whether this introduces
vulnerabilities not countered by the mix audits.
• Option 5: speculative.
• Option 6: promising, but seems to loose the conceptual
simplicity of the PRC approach, and perhaps the linear
scaling properties.
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
31
El Gamal encryption
• El Gamal encryption:
• let  be a generator of cyclic group Zp*, p a large prime.
Choose k (2kp-2) and let  = k (mod p).
• p,  and  made public, k kept secret.
• (Randomised encryption) of m in {0, …, p-1}:
(x, x.m) =: (y1, y2)
• Re-encryption:
(x+y, x+y.m)
• Note: same as directly encrypting m with x+y.
• Decryption:
m = y2 /y1k
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
32
Option 3
• Let d be the ballot seed. Encrypt -d in the El
Gamal pair to form the onion.
(x, x. -d) =: (y1, y2)
• Where d (mod ) can be taken as the offset.
• A receipt pair can be transformed to:
(r, x, x. -d)  (x, x. r-d)
• This can be put through a conventional reencryption mix and the final decryption yields the
vote value directly.
• Fine for cyclic shifts of the candidate list, needs
elaboration for full permutations.
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
33
Prêt à Voter Vulnerabilities
• Chain voting.
• Authority knowledge of ballot form
information.
• Destruction of LH strips.
• Separation of teller modes.
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
34
Chain Voting
•
Effective against many conventional voting
systems:
1. Coercer smuggles a blank ballot form out of the
polling station and marks it with their preferred
candidate.
2. They intercept a voter entering the polling station,
hand them the marked up form and tell them that if
they emerge from the station with a fresh, unmarked
form they will be rewarded.
3. Return to step 1.
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
35
Counter-measures
• In a system like the UK system in which voters are given
a ballot form when they register and are them observed
to cast the form in the ballot box, this can be quite
effective: if the voter emerges with a fresh, blank form it
is a strong indication that they cast the coercer’s marked
form.
• For a conventional system, a possible counter-measure
is to use a system along the lines of the French system:
ballot forms are not controlled, only their casting. Ballot
forms are freely available at the polling station. Voters
register at the moment that they cast their vote, in an
envelope.
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
36
Chain voting and Prêt à Voter
• Particularly virulent with WBB systems. Conventional
counter-measure fails.
• Countermeasures:
– Note:
– Voters don’t need sight of the onion value in order to make their
selection.
– casting an encrypted ballot can be in the presence of a voting
official.
• Hence:
– Conceal the onion under a scratch strip.
– Official checks scratch strip is intact at time of casting.
– Also need to check that form used to cast corresponds to the
forms given to the voter when they register.
– Handling ballot forms in sealed envelopes also helps.
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
37
Authority knowledge
• Entities that create and handle the ballot forms must be trusted to
keep onion/candidate lists secret.
• Countermeasures:
– Create pairs on “entangled” onions. Conceal one under a scratch card
or cryptographically and perform a pre-mix.
– Have a further entity translate the exposed onions into candidate lists.
– Random audit the resulting forms.
– Cast encrypted receipts in presence of an official and reveal the onion
value at this point.
• Further possibilities:
– “Mirror”, robust pre-mix on entangled onions (run Plaintext Equivalence
Tests (PET) the entangled onion pairs and PRC the mix)
– Just in time candidate lists.
– Just in time onions.
– Multiple entangled onions (independently reveal candidate lists for n-1)
• Plenty of possibilities, some adaptable to remote contexts.
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
38
Destruction of LH strips
• Procedural: officials oversee destruction of LH strips.
• Mechanical: device that automatically strips off the LH strip and
discards it.
• Decoy strips: plentiful supply of alternative LH strips provided in the
booth.
• Scratch strips: onion under the strip (in 2D bar code?) candidate list
overprinted: revealing the onion destroys the list.
• Disc ballots!? Ballot “forms” take the form of a pair of discs sealed
together. After selection they are separated. Axial symmetry ensures
that the original configuration is lost.
• Quantum!? Ballot “forms” using entangled q-bits. Measurement to
reveal candidate lists collapses the wave functions.
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
39
Confusion of tellers modes
• Essential that any onion can be processed at
most once.
– Allow on-demand teller mode only during the preelection phase. Ensure that all audited ballot as
destroyed.
– Procedural/Mechanical: any processed form is
invalidated to prevent reuse.
– Cryptographic, e.g., authentication codes that are
destroyed when the onion is used.
– Just in time candidate lists: revealed only at the time
that the voter makes their selection.
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
40
Future work
• On the current model:
–
–
–
–
–
–
Determine exact requirements.
Formal analysis and proofs.
Construct threat and trust models.
Investigate error handling and recovery strategies.
Develop a full, socio-technical systems analysis.
Develop prototypes and run trials, e.g., e-voting
games!
– Investigate public understanding and trust.
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
41
Future work
• Beyond the current scheme:
– Alternative sources of seed entropy: Voters,
optical fibres in the paper,…?
– Protocols for on-demand/distributed
generation and checking of ballot forms, e.g.,
authenticated onion establishment.
– (Threshold) schemes to thwart collusion
attacks on checking modes.
– Alternative robust mixes.
– Adaptation to remote voting (Cornell work).
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
42
References
•
•
•
•
•
•
•
•
•
•
David Chaum, Secret-Ballot receipts: True Voter-Verifiable Elections, IEEE Security and Privacy
Journal, 2(1): 38-47, Jan/Feb 2004.
J W Bryans & P Y A Ryan “A Dependability Analysis of the Chaum Voting Scheme”, Newcastle
Tech Report CS-TR-809, 2003.
J W Bryans & P Y A Ryan, “Security and Trust in a Voter-verifiable Election Scheme”, FAST 2003.
P Y A Ryan & J W Bryans “A Simplified Version of the Chaum Voting Scheme”, Newcastle TR
2004
P Y A Ryan, Towards a Dependability Case for the Chaum Voting Scheme, DIMACS June 2004.
P Y A Ryan, “E-voting”, presentation to the Caltech/MIT workshop on voting technology, MIT
Boston 1-2 October 2004.
P Y A Ryan, “A Variant of the Chaum Voter-verifiable Election scheme”, WITS, 10-11 January
2005 Long Beach Ca.
D Chaum, P Y A Ryan, S A Schneider, “A Practical, Voter-Verifiable Election Scheme”, Newcastle
TR 880 December 2004, Proceedings ESORICS 2005, LNCS 3679.
B Randell, P Y A Ryan, “Trust and Voting Technology”, NCL CS Tech Report 911, June 2005.
P Y A Ryan, T Peacock, “Prêt à Voter, A Systems Perspective”, NCL CS Tech Report 929,
September 2005.
Frontiers of Electronic Elections
Milan, 16 September 2005
P Y A Ryan
Prêt à Voter
43