Pret a Voter - University of Melbourne

Download Report

Transcript Pret a Voter - University of Melbourne 

Can voters check that their e-vote is cast as they intended
and properly included in an accurate count?
Vanessa Teague
University of Melbourne
[email protected]
CIS department seminar, March ’14
Why verifiable voting?
What’s wrong with this picture?
Voters
PCs
Encrypted votes
Election outcome
RSA
RSA
RSA
Electoral Commission
server with decryption key
The challenge
 Vote privacy is relatively easy
 Using standard crypto and a completely trusted
decryption & counting system
 Verifiability is relatively easy
 If you don’t care about privacy: just make all the votes
public
 The challenge is to do both:
 verifiably accurate results that preserve privacy
Electronic election verification
 Each voter can check that their vote matches their
intention
 Even if the computer they’re using is compromised
 Everyone can check that the votes were properly
handled after casting
 Not in this talk
 Details about privacy
 Verifying the counting software
 e.g. Rajeev Goré’s work on EVACS.
 Other important requirements
 Usability, robustness, security from outside attack,
Outline
 On the Internet
 NSW (Everyone Counts)
 Norway (Gjøsteen, Scytl)
 Helios (Adida, de Marneffe, Pereira et al.)
 In the polling place
 VEC verifiable system based on prêt à voter
 Electronic ballot markers (WA, Tas, proposed NSW)
iVote (NSW) 2011
Verif1
Verif1
Verif2
Verif2
Verif3
Voters log in again later to
query the system and see
if they get the right “verif
number back
iVote 2015
 A new version is proposed for 2015 NSW state election
 Voter sends vote to server using plain SSL/TLS again
 Each voter checks their vote (unencrypted) with an
“auditor”

But don’t worry, the auditor can’t possibly tell who you are just
by looking at your IP address
 Auditor promises to check that they all go properly into
the count
 See draft design at
http://www.elections.nsw.gov.au/__data/assets/pdf_file/0
003/125454/iVote_Strategy_for_SGE_2015_amd_1.pdf
iVote (proposed NSW) 2015
Electoral Commission
TLS
TLS
Plaintext vote check with auditor
Auditor
Outline
 On the Internet
 NSW (Everyone Counts)
 Norway (Gjøsteen, Scytl)
 Helios (Adida, de Marneffe, Pereira et al.)
 In the polling place
 VEC verifiable system based on prêt à voter
 Electronic ballot markers (WA, Tas, proposed NSW)
Norway
 A partially-verifiable Internet voting scheme
 Used in recent Norwegian local & parliamentary
elections
 Openly-available source code with public docs & papers
 Uses Norwegian government electronic ID scheme
 Implemented by Scytl
Example 3: Norway
 Each voter gets a “code sheet”
by snail mail
 Everyone’s code sheet is
different
Red
3492
Green
3513
Chequered
8934
Fuzzy
3489
Cross
0114
Yellow
9253
 Voter’s PC encrypts party
name, sends to server
 Authorities SMS party code to
voter’s mobile phone
 Corrupt PC can’t lie about your
vote undetectably
 Unless it learns the codes
Norway
 An admirable process
 Public consultation, open source code, academic review,
honesty about problems
 Still some gaps in the protocol
 But at least they know what they are
 And some bugs in the implementation
 But there’s a process for finding and fixing them
 The open process allows for a scientific discussion
based on facts & careful analysis
Outline
 On the Internet
 NSW (Everyone Counts)
 Norway (Gjøsteen, Scytl)
 Helios (Adida, de Marneffe, Pereira et al.)
 In the polling place
 VEC verifiable system based on prêt à voter
 Electronic ballot markers (WA, Tas, proposed NSW)
Helios
 An “end-to-end verifiable” Internet voting scheme
 By Adida, de Marneffe, Pereira
 Source code and docs at heliosvoting.org
 Used by the IACR in their board elections
 Each voter can verify that their vote is
 cast as they intended
 Properly included in the count
 Anyone can verify that all the included votes are
properly decrypted and tallied
One-page reminder about public
key crypto
 The receiver generates two keys:
 a public key e (for encrypting), and
 a private key d (for decrypting)
 She publicises the public key e
 People use this for encrypting messages
 They also include some randomness r
 Ciphertext

C = Ence(msg, r)
 She keeps the private key d secret
 She uses this for decrypting messages
Helios: cast-as-intended
verification
 You don’t trust your PC to encrypt the right thing
 You do trust your PC for privacy
 Ask your PC to produce lots of (different) encrypted votes
 It doesn’t know which one you’re going to use
 Photograph them, print them, or send them to other
devices
 Ask your PC to ‘open’ all but one of them
 i.e. to tell you the randomness r it used for encrypting
 Get the other devices to check the encryption was right
 They just recompute Ence(msg, r)
 Cast the one you didn’t open
 So your privacy is preserved
So why not use Helios for Aus
government elections?
 Difficulty of cast-as-intended protocol
 Voters need to understand it to get it right
 Extension to STV ballots with 97 people
 Computational scalability
Internet Voting: summary
 There is no end-to-end verifiable Internet voting
scheme that’s
 Usable for ordinary voters
 Adaptable to Australian-style preferential elections
 And we haven’t even talked about
 Authenticating the voters
 Preserving privacy
Outline
 On the Internet
 NSW (Everyone Counts)
 Norway (Gjøsteen, Scytl)
 Helios (Adida, de Marneffe, Pereira et al.)
 In the polling place
 Vic verifiable system based on prêt à voter




Voting
Checking from home that your vote is there
Verifying shuffling and decryption
Privacy
 Electronic ballot markers (WA, Tas, proposed NSW)
The Victorian Electoral
Commission’s polling-place voting
system
 I’ve done a lot of work on this project
 But am not representing the VEC’s official position in any way
 Based on the prêt à voter end-to-end verifiable voting
scheme (Ryan, Schneider, Chaum)
 Implemented by a team at U Surrey (Culnane, Heather,
Schneider)
 With some help from the VEC (Burton)
 This scheme is end-to-end verifiable
 Except that the point its output is joined in with the rest of
the ballots is observable only by scrutineers
Victoria polling-place 2014 cont’d
 Each voter gets a human-readable printout to check
 The printout is transformed into an encrypted receipt
 The voter gets evidence that this is the vote they intended
 Without being able to prove to others how they voted
 Voter takes their encrypted receipt home
 checks that it’s in the accepted list
 The accepted list is shuffled & decrypted with a
mathematical proof of correctness
 Which anyone can check
 Source code at https://bitbucket.org/vvote
Prêt à Voter
 Uses pre-prepared paper
ballot forms that encode the
vote in familiar form.
 The candidate list is
randomised for each ballot
form.
 Information defining the
candidate list is encrypted in
an “onion” value printed on
each ballot form.
 Actually, we print a serial
number that points to the
encrypted values in a public
table
Red
Green
Chequered
Fuzzy
Cross
$rJ9*mn4R&8
Ballot auditing
 Each voter can challenge as
many ballots as they like
Red
Green
 And get a proof that the
onion matches the
candidate list
 Then don’t use that ballot
 Then vote on an
unchallenged one
 So you can’t prove how you
voted
Chequered
Fuzzy
Cross
$rJ9*mn4R&8
Voting
 Fill in the boxes as usual
 Use a computer to help
 Check its printout
 Against candidate list
 Shred candidate list
 Computer uploads vote
 Same info as on printout
 Take printout home
 It doesn’t reveal the vote
Red
5
Green
1
Chequered
3
Fuzzy
2
Cross
4
$rJ9*mn4R&8
$rJ9*mn4R&8
Outline
 On the Internet
 NSW (Everyone Counts)
 Norway (Gjøsteen, Scytl)
 Helios (Adida, de Marneffe, Pereira et al.)
 In the polling place
 Vic verifiable system based on prêt à voter




Voting
Checking from home that your vote is there
Verifying shuffling and decryption
Privacy
 Electronic ballot markers (WA, Tas, proposed NSW)
Checking from home that your
vote is there
 There’s a public website listing all the receipts
 More precisely, there’s a “bulletin board” which is a
public website augmented with some evidence that
everyone sees the same data
 Find yours
Outline
 On the Internet
 NSW (Everyone Counts)
 Norway (Gjøsteen, Scytl)
 Helios (Adida, de Marneffe, Pereira et al.)
 In the polling place
 Vic verifiable system based on prêt à voter




Voting
Checking from home that your vote is there
Verifying shuffling and decryption
Privacy
 Electronic ballot markers (WA, Tas, proposed NSW)
Verifying shuffling and decryption
 Now we have a list of encrypted votes
 On a public website
 Encrypted, and linked to voter’s identities

Because each voter still holds their receipt
 We want to
 Shuffle the votes

To break the link with voter ID
 Decrypt the votes
 Prove that this was done correctly
What’s public-key cryptography?
 The receiver generates two keys:
 a public key e (for encrypting), and
 a private key d (for decrypting)
 She publicises the public key e
 People use this for encrypting messages
 They also include some randomness
 She keeps the private key d secret
 She uses this for decrypting messages
Picture of public-key cryptography
Receiver
Sender
RSA
RSA
Re-randomising encryption
 Without knowing the secret key, re-do the
randomness used in the encryption
 The message stays the same
 But the new encryption can’t be linked to the old one
Randomised partial checking
 By Jakobsson, Juels & Rivest
 Significant improvements by Wikström
 We can’t (completely) prevent a hacker from breaking
in to all the computers and changing the votes, but
 We can check the process thoroughly enough to be
confident that
 If the checks succeed then
 The system produced the right output

With very high probability
Randomised partial checking
 A pair of mix servers shuffle and rerandomise
 Choose randomly to prove the link to start or end
Provable decryption step
 Trust me, this can be done
 Using chaum-pedersen
proofs of dlog equality
 Showing proper
decryption of El Gamal
ciphertext given El Gamal
public key
Outline
 On the Internet
 NSW (Everyone Counts)
 Norway (Gjøsteen, Scytl)
 Helios (Adida, de Marneffe, Pereira et al.)
 In the polling place
 Vic verifiable system based on prêt à voter




Voting
Checking from home that your vote is there
Verifying shuffling and decryption
Privacy
 Electronic ballot markers (WA, Tas, proposed NSW)
Privacy
 Whenever you have a computer helping you fill in your
vote, that computer is a privacy risk
 So is the ballot printer
 There are some clever schemes for verifiable voting
that don’t tell your computer how you voted
 e.g. the “plain” version of prêt à voter in which you fill in
the ballot with a pencil
 But none of them work with 30-candidate STV
 This scheme does about the best I can imagine at
preserving privacy while providing a usable 30candidate STV vote
Summary
 This provides a rigorous after-the-fact argument that the
answer was right (with high probability)
 To the court we’d say
 We worked really hard to make sure the software was correct
 We worked really hard to make the computers secure
 But even if these were not perfect:
 The voters & the public could check the integrity of the data
directly

And the scrutineers can reconcile that with the rest of the count
 And would have detected a manipulation with high
probability
Feedback
 If you’d like to write your own proof checker, verifier,
signature checker, etc, for vVote, please come and talk
to me,
 If you think you’ve found a bug, please come and talk
to me,
 If you read the supporting materials and you think
you’ve found a bug, please come and talk to me.
Outline
 On the Internet
 Helios (Adida, de Marneffe, Pereira et al.)
 NSW (Everyone Counts)
 Norway (Gjøsteen, Scytl)
 In the polling place
 VEC verifiable system based on prêt à voter
 Electronic ballot markers (WA, Tas, proposed NSW)
A human-readable paper record
 So the voter can check directly that their vote is cast as
they intended
 Electronic ballot marker
 Vote on a computer, print your vote, put it in a ballot box
 In use in WA & Tas, proposed in NSW
 Good for voters who need assistance and also for validity
checking for everyone
Conclusion
 Verifiable Internet voting is an unsolved problem
 Verifiable polling-place voting has several sensible
solutions
 But there are important details in extending them to
Australian voting
So what happens now?
 The AEC recently produced a discussion paper on Internet voting
 http://www.eca.gov.au/media/18-09-13.htm
 "7.8 As noted in Part 1, the extent to which it can be guaranteed
that votes cast on the internet will not be susceptible to
interference of one form or another has been a matter of vigorous
dispute. This paper takes no stand on that issue,..."
"7.17 The need for new transparency mechanisms to replace
those associated with the paper ballot remains a matter of
fundamental importance, and one which will rise in significance
in direct proportion to the number of people actually using
internet voting. Elaboration of such mechanisms is beyond the
scope of this paper."