Pret a Voter - University of Melbourne
Download
Report
Transcript Pret a Voter - University of Melbourne
Can voters check that their e-vote is cast as they intended
and properly included in an accurate count?
Vanessa Teague
University of Melbourne
[email protected]
CIS department seminar, March ’14
Why verifiable voting?
What’s wrong with this picture?
Voters
PCs
Encrypted votes
Election outcome
RSA
RSA
RSA
Electoral Commission
server with decryption key
The challenge
Vote privacy is relatively easy
Using standard crypto and a completely trusted
decryption & counting system
Verifiability is relatively easy
If you don’t care about privacy: just make all the votes
public
The challenge is to do both:
verifiably accurate results that preserve privacy
Electronic election verification
Each voter can check that their vote matches their
intention
Even if the computer they’re using is compromised
Everyone can check that the votes were properly
handled after casting
Not in this talk
Details about privacy
Verifying the counting software
e.g. Rajeev Goré’s work on EVACS.
Other important requirements
Usability, robustness, security from outside attack,
Outline
On the Internet
NSW (Everyone Counts)
Norway (Gjøsteen, Scytl)
Helios (Adida, de Marneffe, Pereira et al.)
In the polling place
VEC verifiable system based on prêt à voter
Electronic ballot markers (WA, Tas, proposed NSW)
iVote (NSW) 2011
Verif1
Verif1
Verif2
Verif2
Verif3
Voters log in again later to
query the system and see
if they get the right “verif
number back
iVote 2015
A new version is proposed for 2015 NSW state election
Voter sends vote to server using plain SSL/TLS again
Each voter checks their vote (unencrypted) with an
“auditor”
But don’t worry, the auditor can’t possibly tell who you are just
by looking at your IP address
Auditor promises to check that they all go properly into
the count
See draft design at
http://www.elections.nsw.gov.au/__data/assets/pdf_file/0
003/125454/iVote_Strategy_for_SGE_2015_amd_1.pdf
iVote (proposed NSW) 2015
Electoral Commission
TLS
TLS
Plaintext vote check with auditor
Auditor
Outline
On the Internet
NSW (Everyone Counts)
Norway (Gjøsteen, Scytl)
Helios (Adida, de Marneffe, Pereira et al.)
In the polling place
VEC verifiable system based on prêt à voter
Electronic ballot markers (WA, Tas, proposed NSW)
Norway
A partially-verifiable Internet voting scheme
Used in recent Norwegian local & parliamentary
elections
Openly-available source code with public docs & papers
Uses Norwegian government electronic ID scheme
Implemented by Scytl
Example 3: Norway
Each voter gets a “code sheet”
by snail mail
Everyone’s code sheet is
different
Red
3492
Green
3513
Chequered
8934
Fuzzy
3489
Cross
0114
Yellow
9253
Voter’s PC encrypts party
name, sends to server
Authorities SMS party code to
voter’s mobile phone
Corrupt PC can’t lie about your
vote undetectably
Unless it learns the codes
Norway
An admirable process
Public consultation, open source code, academic review,
honesty about problems
Still some gaps in the protocol
But at least they know what they are
And some bugs in the implementation
But there’s a process for finding and fixing them
The open process allows for a scientific discussion
based on facts & careful analysis
Outline
On the Internet
NSW (Everyone Counts)
Norway (Gjøsteen, Scytl)
Helios (Adida, de Marneffe, Pereira et al.)
In the polling place
VEC verifiable system based on prêt à voter
Electronic ballot markers (WA, Tas, proposed NSW)
Helios
An “end-to-end verifiable” Internet voting scheme
By Adida, de Marneffe, Pereira
Source code and docs at heliosvoting.org
Used by the IACR in their board elections
Each voter can verify that their vote is
cast as they intended
Properly included in the count
Anyone can verify that all the included votes are
properly decrypted and tallied
One-page reminder about public
key crypto
The receiver generates two keys:
a public key e (for encrypting), and
a private key d (for decrypting)
She publicises the public key e
People use this for encrypting messages
They also include some randomness r
Ciphertext
C = Ence(msg, r)
She keeps the private key d secret
She uses this for decrypting messages
Helios: cast-as-intended
verification
You don’t trust your PC to encrypt the right thing
You do trust your PC for privacy
Ask your PC to produce lots of (different) encrypted votes
It doesn’t know which one you’re going to use
Photograph them, print them, or send them to other
devices
Ask your PC to ‘open’ all but one of them
i.e. to tell you the randomness r it used for encrypting
Get the other devices to check the encryption was right
They just recompute Ence(msg, r)
Cast the one you didn’t open
So your privacy is preserved
So why not use Helios for Aus
government elections?
Difficulty of cast-as-intended protocol
Voters need to understand it to get it right
Extension to STV ballots with 97 people
Computational scalability
Internet Voting: summary
There is no end-to-end verifiable Internet voting
scheme that’s
Usable for ordinary voters
Adaptable to Australian-style preferential elections
And we haven’t even talked about
Authenticating the voters
Preserving privacy
Outline
On the Internet
NSW (Everyone Counts)
Norway (Gjøsteen, Scytl)
Helios (Adida, de Marneffe, Pereira et al.)
In the polling place
Vic verifiable system based on prêt à voter
Voting
Checking from home that your vote is there
Verifying shuffling and decryption
Privacy
Electronic ballot markers (WA, Tas, proposed NSW)
The Victorian Electoral
Commission’s polling-place voting
system
I’ve done a lot of work on this project
But am not representing the VEC’s official position in any way
Based on the prêt à voter end-to-end verifiable voting
scheme (Ryan, Schneider, Chaum)
Implemented by a team at U Surrey (Culnane, Heather,
Schneider)
With some help from the VEC (Burton)
This scheme is end-to-end verifiable
Except that the point its output is joined in with the rest of
the ballots is observable only by scrutineers
Victoria polling-place 2014 cont’d
Each voter gets a human-readable printout to check
The printout is transformed into an encrypted receipt
The voter gets evidence that this is the vote they intended
Without being able to prove to others how they voted
Voter takes their encrypted receipt home
checks that it’s in the accepted list
The accepted list is shuffled & decrypted with a
mathematical proof of correctness
Which anyone can check
Source code at https://bitbucket.org/vvote
Prêt à Voter
Uses pre-prepared paper
ballot forms that encode the
vote in familiar form.
The candidate list is
randomised for each ballot
form.
Information defining the
candidate list is encrypted in
an “onion” value printed on
each ballot form.
Actually, we print a serial
number that points to the
encrypted values in a public
table
Red
Green
Chequered
Fuzzy
Cross
$rJ9*mn4R&8
Ballot auditing
Each voter can challenge as
many ballots as they like
Red
Green
And get a proof that the
onion matches the
candidate list
Then don’t use that ballot
Then vote on an
unchallenged one
So you can’t prove how you
voted
Chequered
Fuzzy
Cross
$rJ9*mn4R&8
Voting
Fill in the boxes as usual
Use a computer to help
Check its printout
Against candidate list
Shred candidate list
Computer uploads vote
Same info as on printout
Take printout home
It doesn’t reveal the vote
Red
5
Green
1
Chequered
3
Fuzzy
2
Cross
4
$rJ9*mn4R&8
$rJ9*mn4R&8
Outline
On the Internet
NSW (Everyone Counts)
Norway (Gjøsteen, Scytl)
Helios (Adida, de Marneffe, Pereira et al.)
In the polling place
Vic verifiable system based on prêt à voter
Voting
Checking from home that your vote is there
Verifying shuffling and decryption
Privacy
Electronic ballot markers (WA, Tas, proposed NSW)
Checking from home that your
vote is there
There’s a public website listing all the receipts
More precisely, there’s a “bulletin board” which is a
public website augmented with some evidence that
everyone sees the same data
Find yours
Outline
On the Internet
NSW (Everyone Counts)
Norway (Gjøsteen, Scytl)
Helios (Adida, de Marneffe, Pereira et al.)
In the polling place
Vic verifiable system based on prêt à voter
Voting
Checking from home that your vote is there
Verifying shuffling and decryption
Privacy
Electronic ballot markers (WA, Tas, proposed NSW)
Verifying shuffling and decryption
Now we have a list of encrypted votes
On a public website
Encrypted, and linked to voter’s identities
Because each voter still holds their receipt
We want to
Shuffle the votes
To break the link with voter ID
Decrypt the votes
Prove that this was done correctly
What’s public-key cryptography?
The receiver generates two keys:
a public key e (for encrypting), and
a private key d (for decrypting)
She publicises the public key e
People use this for encrypting messages
They also include some randomness
She keeps the private key d secret
She uses this for decrypting messages
Picture of public-key cryptography
Receiver
Sender
RSA
RSA
Re-randomising encryption
Without knowing the secret key, re-do the
randomness used in the encryption
The message stays the same
But the new encryption can’t be linked to the old one
Randomised partial checking
By Jakobsson, Juels & Rivest
Significant improvements by Wikström
We can’t (completely) prevent a hacker from breaking
in to all the computers and changing the votes, but
We can check the process thoroughly enough to be
confident that
If the checks succeed then
The system produced the right output
With very high probability
Randomised partial checking
A pair of mix servers shuffle and rerandomise
Choose randomly to prove the link to start or end
Provable decryption step
Trust me, this can be done
Using chaum-pedersen
proofs of dlog equality
Showing proper
decryption of El Gamal
ciphertext given El Gamal
public key
Outline
On the Internet
NSW (Everyone Counts)
Norway (Gjøsteen, Scytl)
Helios (Adida, de Marneffe, Pereira et al.)
In the polling place
Vic verifiable system based on prêt à voter
Voting
Checking from home that your vote is there
Verifying shuffling and decryption
Privacy
Electronic ballot markers (WA, Tas, proposed NSW)
Privacy
Whenever you have a computer helping you fill in your
vote, that computer is a privacy risk
So is the ballot printer
There are some clever schemes for verifiable voting
that don’t tell your computer how you voted
e.g. the “plain” version of prêt à voter in which you fill in
the ballot with a pencil
But none of them work with 30-candidate STV
This scheme does about the best I can imagine at
preserving privacy while providing a usable 30candidate STV vote
Summary
This provides a rigorous after-the-fact argument that the
answer was right (with high probability)
To the court we’d say
We worked really hard to make sure the software was correct
We worked really hard to make the computers secure
But even if these were not perfect:
The voters & the public could check the integrity of the data
directly
And the scrutineers can reconcile that with the rest of the count
And would have detected a manipulation with high
probability
Feedback
If you’d like to write your own proof checker, verifier,
signature checker, etc, for vVote, please come and talk
to me,
If you think you’ve found a bug, please come and talk
to me,
If you read the supporting materials and you think
you’ve found a bug, please come and talk to me.
Outline
On the Internet
Helios (Adida, de Marneffe, Pereira et al.)
NSW (Everyone Counts)
Norway (Gjøsteen, Scytl)
In the polling place
VEC verifiable system based on prêt à voter
Electronic ballot markers (WA, Tas, proposed NSW)
A human-readable paper record
So the voter can check directly that their vote is cast as
they intended
Electronic ballot marker
Vote on a computer, print your vote, put it in a ballot box
In use in WA & Tas, proposed in NSW
Good for voters who need assistance and also for validity
checking for everyone
Conclusion
Verifiable Internet voting is an unsolved problem
Verifiable polling-place voting has several sensible
solutions
But there are important details in extending them to
Australian voting
So what happens now?
The AEC recently produced a discussion paper on Internet voting
http://www.eca.gov.au/media/18-09-13.htm
"7.8 As noted in Part 1, the extent to which it can be guaranteed
that votes cast on the internet will not be susceptible to
interference of one form or another has been a matter of vigorous
dispute. This paper takes no stand on that issue,..."
"7.17 The need for new transparency mechanisms to replace
those associated with the paper ballot remains a matter of
fundamental importance, and one which will rise in significance
in direct proportion to the number of people actually using
internet voting. Elaboration of such mechanisms is beyond the
scope of this paper."