Voting Security Overview

(Electronic)Voting Security

Ben AdidaHarvard University

Workshop on Electronic VotingIDC Herzliya17 May 2009

The Point of An Election

The Point of An Election

“The People have spoken....the bastards!”

Dick Tuck1966 Concession Speech

The Point of An Election

“The People have spoken....the bastards!”

Dick Tuck1966 Concession Speech

Provide enough evidenceto convince the loser.

"That's for me and a button to know."

Joe, the plumber.

5

5

5

5

5

5

5

6

6

Fashionable Voting

http://www.cs.uiowa.edu/~jones/voting/pictures/7

Fashionable Voting

http://www.cs.uiowa.edu/~jones/voting/pictures/7

Fashionable Voting

http://www.cs.uiowa.edu/~jones/voting/pictures/7

Fashionable Voting

http://www.cs.uiowa.edu/~jones/voting/pictures/7

Fashionable Voting

http://www.cs.uiowa.edu/~jones/voting/pictures/7

Fashionable Voting

http://www.cs.uiowa.edu/~jones/voting/pictures/7

Fashionable Voting

http://www.cs.uiowa.edu/~jones/voting/pictures/7

Fashionable Voting

8

Fashionable Voting

8

Voting is a fundamentally difficult problem.

9

Wooten got the news from his wife, Roxanne, who went to City Hall on Wednesday

to see the election results.

"She saw my name with zero votes by it.She came home and asked me ifI had voted for myself or not."

10

11

11

14

12

11

1 person, 1 vote

14

12

Enforced Privacyto ensure each voter

votes in his/herown interest

12

http://www.cs.uiowa.edu/~jones/voting/pictures/ 13

http://www.cs.uiowa.edu/~jones/voting/pictures/

1892 - Australian Ballot

14

The Ballot Handoff

Alice the Voter

17

McCain

The Ballot Handoff

Alice the Voter

17

McCain

The Ballot Handoff

Alice the Voter

17

McCain

The Ballot Handoff

Alice the Voter

17

McCain

The Ballot Handoff

Alice the Voter

17

McCain

ObamaObamaObama

McCainMcCain

McCain

The Ballot Handoff

Alice the Voter

17

McCain

ObamaObamaObama

McCainMcCain

Black Box

McCain

Chain of Custody

18

Chain of Custody

Vendor

/*

* source

* code

*/

if (...

1

18

Chain of Custody

VotingMachine

2

Vendor

/*

* source

* code

*/

if (...

1

18

Chain of Custody

VotingMachine

2

Vendor

/*

* source

* code

*/

if (...

1

Polling Location

3

18

Chain of Custody

VotingMachine

2

Vendor

/*

* source

* code

*/

if (...

1

Polling Location

3

4

Alice

18

Chain of Custody

VotingMachine

2

Vendor

/*

* source

* code

*/

if (...

1

Polling Location

3

4

Alice

18

Chain of Custody

VotingMachine

2

Vendor

/*

* source

* code

*/

if (...

1

Polling Location

3

Ballot Box Collection

5

4

Alice

18

Chain of Custody

VotingMachine

2

Vendor

/*

* source

* code

*/

if (...

1

Polling Location

3

Ballot Box Collection

5

Results

.....6

4

Alice

18

Chain of Custody

VotingMachine

2

Vendor

/*

* source

* code

*/

if (...

1

Polling Location

3

Ballot Box Collection

5

Results

.....6

4

Alice

Black Box18

The Cost of Secrecy

The Cost of Secrecy

The Cost of Secrecy

The Cost of Secrecy

The Cost of Secrecy

But Secrecy is Important.

Secret Ballot implemented in Chile in 1958.

“the secrecy of the ballot [...] has first-order implications for resource

allocation, political outcomes, and social efficiency.”

[BalandRobinson 2004]

Because we care about a meaningful result, we’ve made auditing

very difficult.

21

We are left chasing evidence of correctness.

Meanwhile we destroy evidence on purpose.

22

Obtaining Evidence

VotingMachine

2

Vendor

/*

* source

* code

*/

if (...

1

Polling Location

3

Ballot Box Collection

5

Results

.....6

4

Alice

23

Obtaining Evidence

- source code audit

- Logic & Accuracy

- Parallel Testing

- Voter-Verified Paper Audit Trail

VotingMachine

2

Vendor

/*

* source

* code

*/

if (...

1

Polling Location

3

Obtaining Evidence

Polling Location

3

4

Alice

- Multiple poll watcherscompeting affiliations

- No personal electronic devicesat the polling station

- Logging all events

Obtaining Evidence

- redundant counts

- ballot box seals

- statistical auditing by partial recounts

Ballot Box Collection

5

Results

.....6

Fragmented, Adversarial and Indirect

- each piece of evidence coversa small segment of the chain.

- attacker knows the checks, and can try to sneak in where the chain is not covered.

- to maintain security and for practical purposes, the evidence is very indirect.

The Effect of DREs

- More to audit

- Errors can have disproportionate effects

- Software is not just for speed/efficiency,it becomes central for integrity.

Software Independence

an undetected mistake in the system does not cause an

undetectable error in the tally.

Can we getmore direct,

more end-to-end evidence?

Secret Ballot vs. Verifiability

Voting System

Alice

convince

Carl the Coercer

31

Secret Ballot vs. Verifiability

Voting System

Alice

convince

Carl the Coercer

31

[Chaum81], [Benaloh85], [PIK93], [BenalohTuinstra92], [SK94], [Neff2001], [FS2001],[Chaum2004], [Neff2004], [Ryan2004], [Chaum2005]

Punchscan, Scantegrity I & II, Civitas, ThreeBallot, Prêt-à-Voter, Scratch & Vote, ...

Bulletin Board

Public Ballots

Bob:McCain

Carol:Obama

32

Bulletin Board

Public Ballots

Bob:McCain

Carol:Obama

Alice

32

Bulletin Board

Public Ballots

Alice:Obama

Bob:McCain

Carol:Obama

Alice

32

Bulletin Board

Public Ballots

Alice:Obama

Bob:McCain

Carol:Obama

Tally

Obama....2McCain....1

Alice

32

Encrypted Public BallotsBulletin Board

Alice:Rice

Bob:Clinton

Carol:Rice

Tally

Obama....2McCain....1

Alice

33

Encrypted Public BallotsBulletin Board

Alice:Rice

Bob:Clinton

Carol:Rice

Tally

Obama....2McCain....1

Alice

Alice verifies her vote

33

Encrypted Public BallotsBulletin Board

Alice:Rice

Bob:Clinton

Carol:Rice

Tally

Obama....2McCain....1

Alice

Alice verifies her vote Everyone verifies the tally

33

End-to-End Verification

End-to-End Verification

Polling Location

VotingMachine

Vendor

/*

* source

* code

*/

if (...

End-to-End Verification

Polling Location

VotingMachine

Vendor

/*

* source

* code

*/

if (...

Ballot Box /

Bulletin Board

Alice

End-to-End Verification

Polling Location

VotingMachine

Vendor

/*

* source

* code

*/

if (...

Ballot Box /

Bulletin Board

Alice

Results

.....

End-to-End Verification

Polling Location

VotingMachine

Vendor

/*

* source

* code

*/

if (...

Receipt

1

Ballot Box /

Bulletin Board

Alice

Results

.....

End-to-End Verification

Polling Location

VotingMachine

Vendor

/*

* source

* code

*/

if (...

Receipt

1 2

Ballot Box /

Bulletin Board

Alice

Results

.....

Open-AuditElections

Evidence-Based Elections

Questions?ben_adida@harvard.edu