Can voters check that their e-vote is cast as they intended and
properly included in an accurate count? Vanessa Teague University
of Melbourne [email protected] CIS department seminar, March
14 Slide 2 Why verifiable voting? Whats wrong with this picture?
Electoral Commission server with decryption key Voters PCs
Encrypted votes Election outcome RSA Slide 3 The challenge Vote
privacy is relatively easy Using standard crypto and a completely
trusted decryption & counting system Verifiability is
relatively easy If you dont care about privacy: just make all the
votes public The challenge is to do both: verifiably accurate
results that preserve privacy Slide 4 Electronic election
verification Each voter can check that their vote matches their
intention Even if the computer theyre using is compromised Everyone
can check that the votes were properly handled after casting Not in
this talk Details about privacy Verifying the counting software
e.g. Rajeev Gors work on EVACS. Other important requirements
Usability, robustness, security from outside attack, Slide 5
Outline On the Internet NSW (Everyone Counts) Norway (Gjsteen,
Scytl) Helios (Adida, de Marneffe, Pereira et al.) In the polling
place VEC verifiable system based on prt voter Electronic ballot
markers (WA, Tas, proposed NSW) Slide 6 iVote (NSW) 2011 Voters log
in again later to query the system and see if they get the right
verification number back Verif1 Verif2 Verif3 Slide 7 iVote 2015 A
new version is proposed for 2015 NSW state election Voter sends
vote to server using plain SSL/TLS again Each voter checks their
vote (unencrypted) with an auditor But dont worry, the auditor cant
possibly tell who you are just by looking at your IP address
Auditor promises to check that they all go properly into the count
See draft design at
http://www.elections.nsw.gov.au/__data/assets/pdf_file/0
003/125454/iVote_Strategy_for_SGE_2015_amd_1.pdf Slide 8 iVote
(proposed NSW) 2015 Plaintext vote check with auditor Auditor TLS
Electoral Commission Slide 9 Outline On the Internet NSW (Everyone
Counts) Norway (Gjsteen, Scytl) Helios (Adida, de Marneffe, Pereira
et al.) In the polling place VEC verifiable system based on prt
voter Electronic ballot markers (WA, Tas, proposed NSW) Slide 10
Norway A partially-verifiable Internet voting scheme Used in recent
Norwegian local & parliamentary elections Openly-available
source code with public docs & papers Uses Norwegian government
electronic ID scheme Implemented by Scytl Slide 11 Example 3:
Norway Each voter gets a code sheet by snail mail Everyones code
sheet is different Voters PC encrypts party name, sends to server
Authorities SMS party code to voters mobile phone Corrupt PC cant
lie about your vote undetectably Unless it learns the codes Red
Green Chequered Fuzzy Cross Yellow 3492 3489 8934 3513 9253 0114
Slide 12 Norway An admirable process Public consultation, open
source code, academic review, honesty about problems Still some
gaps in the protocol But at least they know what they are And some
bugs in the implementation But theres a process for finding and
fixing them The open process allows for a scientific discussion
based on facts & careful analysis Slide 13 Outline On the
Internet NSW (Everyone Counts) Norway (Gjsteen, Scytl) Helios
(Adida, de Marneffe, Pereira et al.) In the polling place VEC
verifiable system based on prt voter Electronic ballot markers (WA,
Tas, proposed NSW) Slide 14 Helios An end-to-end verifiable
Internet voting scheme By Adida, de Marneffe, Pereira Source code
and docs at heliosvoting.org Used by the IACR in their board
elections Each voter can verify that their vote is cast as they
intended Properly included in the count Anyone can verify that all
the included votes are properly decrypted and tallied Slide 15
One-page reminder about public key crypto The receiver generates
two keys: a public key e (for encrypting), and a private key d (for
decrypting) She publicises the public key e People use this for
encrypting messages They also include some randomness r Ciphertext
C = Enc e (msg, r) She keeps the private key d secret She uses this
for decrypting messages Slide 16 Helios: cast-as-intended
verification You dont trust your PC to encrypt the right thing You
do trust your PC for privacy Ask your PC to produce lots of
(different) encrypted votes It doesnt know which one youre going to
use Photograph them, print them, or send them to other devices Ask
your PC to open all but one of them i.e. to tell you the randomness
r it used for encrypting Get the other devices to check the
encryption was right They just recompute Enc e (msg, r) Cast the
one you didnt open So your privacy is preserved Slide 17 So why not
use Helios for Aus government elections? Difficulty of
cast-as-intended protocol Voters need to understand it to get it
right Extension to STV ballots with 97 people Computational
scalability Slide 18 Internet Voting: summary There is no
end-to-end verifiable Internet voting scheme thats Usable for
ordinary voters Adaptable to Australian-style preferential
elections And we havent even talked about Authenticating the voters
Preserving privacy Slide 19 Outline On the Internet NSW (Everyone
Counts) Norway (Gjsteen, Scytl) Helios (Adida, de Marneffe, Pereira
et al.) In the polling place Vic verifiable system based on prt
voter Voting Checking from home that your vote is there Verifying
shuffling and decryption Privacy Electronic ballot markers (WA,
Tas, proposed NSW) Slide 20 The Victorian Electoral Commissions
polling-place voting system Ive done a lot of work on this project
But am not representing the VECs official position in any way Based
on the prt voter end-to-end verifiable voting scheme (Ryan,
Schneider, Chaum) Implemented by a team at U Surrey (Culnane,
Heather, Schneider) With some help from the VEC (Burton) This
scheme is end-to-end verifiable Except that the point its output is
joined in with the rest of the ballots is observable only by
scrutineers Slide 21 Victoria polling-place 2014 contd Each voter
gets a human-readable printout to check The printout is transformed
into an encrypted receipt The voter gets evidence that this is the
vote they intended Without being able to prove to others how they
voted Voter takes their encrypted receipt home checks that its in
the accepted list The accepted list is shuffled & decrypted
with a mathematical proof of correctness Which anyone can check
Source code at
https://bitbucket.org/vvotehttps://bitbucket.org/vvote Slide 22 Prt
Voter Uses pre-prepared paper ballot forms that encode the vote in
familiar form. The candidate list is randomised for each ballot
form. Information defining the candidate list is encrypted in an
onion value printed on each ballot form. Actually, we print a
serial number that points to the encrypted values in a public table
Red Green Chequered Fuzzy Cross $rJ9*mn4R&8 Slide 23 Ballot
auditing Each voter can challenge as many ballots as they like And
get a proof that the onion matches the candidate list Then dont use
that ballot Then vote on an unchallenged one So you cant prove how
you voted Red Green Chequered Fuzzy Cross $rJ9*mn4R&8 Slide 24
Voting Fill in the boxes as usual Use a computer to help Check its
printout Against candidate list Shred candidate list Computer
uploads vote Same info as on printout Take printout home It doesnt
reveal the vote $rJ9*mn4R&8 Red Green Chequered Fuzzy Cross
$rJ9*mn4R&8 1 2 3 4 5 Slide 25 Outline On the Internet NSW
(Everyone Counts) Norway (Gjsteen, Scytl) Helios (Adida, de
Marneffe, Pereira et al.) In the polling place Vic verifiable
system based on prt voter Voting Checking from home that your vote
is there Verifying shuffling and decryption Privacy Electronic
ballot markers (WA, Tas, proposed NSW) Slide 26 Checking from home
that your vote is there Theres a public website listing all the
receipts More precisely, theres a bulletin board which is a public
website augmented with some evidence that everyone sees the same
data Find yours Slide 27 Outline On the Internet NSW (Everyone
Counts) Norway (Gjsteen, Scytl) Helios (Adida, de Marneffe, Pereira
et al.) In the polling place Vic verifiable system based on prt
voter Voting Checking from home that your vote is there Verifying
shuffling and decryption Privacy Electronic ballot markers (WA,
Tas, proposed NSW) Slide 28 Verifying shuffling and decryption Now
we have a list of encrypted votes On a public website Encrypted,
and linked to voters identities Because each voter still holds
their receipt We want to Shuffle the votes To break the link with
voter ID Decrypt the votes Prove that this was done correctly Slide
29 Whats public-key cryptography? The receiver generates two keys:
a public key e (for encrypting), and a private key d (for
decrypting) She publicises the public key e People use this for
encrypting messages They also include some randomness She keeps the
private key d secret She uses this for decrypting messages Slide 30
Picture of public-key cryptography Sender Receiver RSA Slide 31
Re-randomising encryption Without knowing the secret key, re-do the
randomness used in the encryption The message stays the same But
the new encryption cant be linked to the old one Slide 32
Randomised partial checking By Jakobsson, Juels & Rivest
Significant improvements by Wikstrm We cant (completely) prevent a
hacker from breaking in to all the computers and changing the
votes, but We can check the process thoroughly enough to be
confident that If the checks succeed then The system produced the
right output With very high probability Slide 33 Randomised partial
checking A pair of mix servers shuffle and rerandomise Choose
randomly to prove the link to start or end Slide 34 Provable
decryption step Trust me, this can be done Using chaum-pedersen
proofs of dlog equality Showing proper decryption of El Gamal
ciphertext given El Gamal public key Slide 35 Outline On the
Internet NSW (Everyone Counts) Norway (Gjsteen, Scytl) Helios
(Adida, de Marneffe, Pereira et al.) In the polling place Vic
verifiable system based on prt voter Voting Checking from home that
your vote is there Verifying shuffling and decryption Privacy
Electronic ballot markers (WA, Tas, proposed NSW) Slide 36 Privacy
Whenever you have a computer helping you fill in your vote, that
computer is a privacy risk So is the ballot printer There are some
clever schemes for verifiable voting that dont tell your computer
how you voted e.g. the plain version of prt voter in which you fill
in the ballot with a pencil But none of them work with 30-candidate
STV This scheme does about the best I can imagine at preserving
privacy while providing a usable 30- candidate STV vote Slide 37
Summary This provides a rigorous after-the-fact argument that the
answer was right (with high probability) To the court wed say We
worked really hard to make sure the software was correct We worked
really hard to make the computers secure But even if these were not
perfect: The voters & the public could check the integrity of
the data directly And the scrutineers can reconcile that with the
rest of the count And would have detected a manipulation with high
probability Slide 38 Feedback If youd like to write your own proof
checker, verifier, signature checker, etc, for vVote, please come
and talk to me, If you think youve found a bug, please come and
talk to me, If you read the supporting materials and you think
youve found a bug, please come and talk to me. Slide 39 Outline On
the Internet Helios (Adida, de Marneffe, Pereira et al.) NSW
(Everyone Counts) Norway (Gjsteen, Scytl) In the polling place VEC
verifiable system based on prt voter Electronic ballot markers (WA,
Tas, proposed NSW) Slide 40 A human-readable paper record So the
voter can check directly that their vote is cast as they intended
Electronic ballot marker Vote on a computer, print your vote, put
it in a ballot box In use in WA & Tas, proposed in NSW Good for
voters who need assistance and also for validity checking for
everyone Slide 41 Conclusion Verifiable Internet voting is an
unsolved problem Verifiable polling-place voting has several
sensible solutions But there are important details in extending
them to Australian voting Slide 42 So what happens now? The AEC
recently produced a discussion paper on Internet voting
http://www.eca.gov.au/media/18-09-13.htm "7.8 As noted in Part 1,
the extent to which it can be guaranteed that votes cast on the
internet will not be susceptible to interference of one form or
another has been a matter of vigorous dispute. This paper takes no
stand on that issue,..." "7.17 The need for new transparency
mechanisms to replace those associated with the paper ballot
remains a matter of fundamental importance, and one which will rise
in significance in direct proportion to the number of people
actually using internet voting. Elaboration of such mechanisms is
beyond the scope of this paper."
