Security, Privacy, and ElectronicVoting
Bridging the Gap between Theory andImplementation
Michael Ginzburg & Kris Kampshoff
Security, Privacy, and Electronic Voting – p.1/34
Outline
� Background and Motivation� Problems with Current Voting Systems� Diebold AccuVote-TS� Requirements for a Secure Voting System� The Secrecy/Auditability Conundrum� Ingredients for a Secure System� “Bulletin Board” Election� Homomorphic ElGamal Encryption� Threshold Decryption� Conclusions
Security, Privacy, and Electronic Voting – p.2/34
Background and Motivation
� In 2000, the US presidential election was hotly contested,which led to widespread deployment of electronic votingsystems in 2004.� Most of these systems were DRE (Direct Recording Electronic)systems, which leave no paper trail.� Problems with one DRE system in particular (DieboldAccuVote-TS) were discovered and widely reported in 2003.� Many irregularities with DRE machines were reported in 2004.� Our Motivation: Point out the known flaws in existing systems,and examine proposed theoretical systems to see ifimplementation is feasible� Eventual goal: Make voting a painless, secure, and publiclyverifiable process
Security, Privacy, and Electronic Voting – p.3/34
Diebold AccuVote-TS: Background
�� AccuVote-TS is a complete DRE system (hardware andsoftware):� Using an intelligent Voter Card as the voter interface, the
AccuVote-TS permits voters to view and cast their votes bytouching target areas on an electronically generated ballot.Each unit provides a direct-entry computerized votingapplication that automatically records and storesappropriate ballot information and results. At the end of thevoting period, the system can print precinct totals to beincluded as part of the permanent record and modem[sic]the results to a host computer via TeleResults.� This system was used in 213 counties in 9 states (fortunately,
not in Ohio or Florida) for the 2004 elections.
Security, Privacy, and Electronic Voting – p.4/34
Diebold AccuVote-TS: Source Code Leak
� AccuVote-TS is not the only DRE system that was used in2004, but it is the system we know the most about.� AccuVote-TS source code was publicly available from acompletely open and insecure FTP site until some time inJanuary 2003.� While Diebold claims to have made significant changes toAccuVote-TS, the state of the source code at the time of theleak casts serious doubts on the security of the system.� Incorrect use of smartcards� Incorrect use or complete absense of cryptography
Security, Privacy, and Electronic Voting – p.5/34
AccuVote-TS: Highlights
� Avi Rubin, et al. published a devestating critique ofAccuVote-TS after analyzing the source code.� General problems: incorrect use of smartcards andincorrect/absent cryptography.� No cryptography is performed by the smartcards – ever!� This makes ‘homebrew’ smartcards a reality. Attackers
could perform the same actions as an election administrator.� Where cryptography is used, it is woefully inadequate.�
#define DESKEY ((des_key*) ‘‘F2654hD4‘‘)� Single DES is used in CBC mode with a 0 IV to store ballotdata and votes.
Security, Privacy, and Electronic Voting – p.6/34
AccuVote-TS: Summary
� It is not clear whether or not the leaked source code accuratelyrepresents the final system put in place by Diebold for the 2004election.� Diebold officials released a rebuttal to Rubin’s paper, but itinadequately addressed many of the concerns, and belied acomplete lack of understanding of security issues.� Rubin: “Cryptography, when used at all, is used
incorrectly.”� Diebold: “ This statement is based on the presumption thatthere is a single correct means of using cryptography.”� However, even if significant improvements were made, the
glaring errors present in the leaked code cast great doubt on thesecurity of the final system.
Security, Privacy, and Electronic Voting – p.7/34
Requirements for a Voting System
� A voting system, electronic or otherwise, must successfullydeal with these problems:� Ballot Modification� Disenfranchisement� Loss of Privacy� Multiple Votes� Vote Commoditization/Voter Coercion� These problems can be generalized into twosomewhat-contradictory requirements: Secrecy andAuditability.
Security, Privacy, and Electronic Voting – p.8/34
Secrecy/Auditability Conundrum
� Ballot secrecy: Only the voter may know which vote he or shecast.� Ballot auditability: Any interested party should be able to checkunambiguously that the published election result corresponds tothe ballots cast by legitimate voters.
Security, Privacy, and Electronic Voting – p.9/34
Theoretical Approaches
� All voting systems, electronic or otherwise, require ballotsecrecy and ballot auditability. If these two issues are satisfied,most of the security concerns mentioned previously arealleviated.� However, secrecy and auditability are difficult to achieve at thesame time.� Common themes among the theoretical voting papers wesurveyed are: homomorphic encryption, threshold decryption,and a “bulletin board” metaphor for the collection and auditingof votes.� Here, we will focus on one scheme described in two papers bySchoenmakers, Cramer, and Gennaro, which makes use ofthese three concepts.
Security, Privacy, and Electronic Voting – p.10/34
Secrecy/Auditability Conundrum
� It is impossible to achieve both goals if only a single trustedentity is used
�
Voter Vote
�
Alice Yes 1Bob No 0Carol Yes 1Diane No 0Total 2
� Entity
�
learns all of the voters’ votes.
Security, Privacy, and Electronic Voting – p.11/34
Secrecy/Auditability Conundrum
� We need to distribute the responsibilities of tallying to protectprivacy
�
Voter Vote
��� ���
Alice Yes �1287 +1288Bob No +1999 �1999Carol Yes +1770 �1769Diane No �1334 +1334Total +1148 �1146
� �� and
� � learn none of the voters’ votes, unless they collude.� We need to have a large enough number of talliers so that votersmay trust at least some of them not to collude.
Security, Privacy, and Electronic Voting – p.12/34
Bulletin Board Election
� A voting scheme proposed by Cramer, Gennaro, andSchoenmakers. Relies on a “bulletin board” model:� Any parties (including passive observers) can see bulletin
board contents� Each active participant can post messages by appending themessage to their own designated area� Digital signatures are used to verify access to the varioussections of the bulletin board� No party can erase anything from the bulletin board� Broadcast channel such that everybody is able to view whatis posted
Security, Privacy, and Electronic Voting – p.13/34
Bulletin Board Election: Process
� Phase 1 – Setup� Bulletin board servers are set up. This includes thegeneration and certification of public keys� Deadlines for the various phases of the election aredetermined� List of eligible voters is determined� List of talliers is determined� All of the above info is distributed to all relevant parties (voters,
talliers, election observers, etc.)
Security, Privacy, and Electronic Voting – p.14/34
Bulletin Board Election: Process
� Phase 2 – Registration� Talliers register their public keys with the bulletin board� Eligible voters register their public keys with the bulletinboard� List of talliers and list of voters is ‘frozen’ (digitally signed,contents possibly time-stamped)
Security, Privacy, and Electronic Voting – p.15/34
Bulletin Board Election: Process
� Phase 3 – Voting� Registered voters cast their votes by sending in theirencrypted ballots, which are digitally signed by the voterand verifiable by the public key registered with the voter’ssection on the bulletin board� Election officials freeze the contents of the voters’ sectionson the bulletin board, and accumulate the valid ballots� Talliers produce their sub-tallies� The election officials freeze the contents of the talliers’sections on the bulletin board. The final tally as computedfrom the sub-tallies is also included� The observers read the complete contents of the bulletinboard, and check that all valid ballots are counted, and validsub-tallies correspond to the final tally
Security, Privacy, and Electronic Voting – p.16/34
Cryptographic Protocols
� How can we guarantee that votes are tallied accurately withoutcompromising voter secrecy?� By using special-purpose cryptographic protocols that rely ontechniques such as verifiable secret sharing andzero-knowledge proofs of knowledge.� Homomorphic encryption:� A public key encryption algorithm
�is called
homomorphic if it satisfies the property��� �� � �� ��� � � � ��� �� � � � �
for any public key� �
and any messages � � and � � . Hence,if we ‘multiply’ two encrypted messages (for the samepublic key), the result is an encryption of the ‘sum’ of theoriginal messages.
Security, Privacy, and Electronic Voting – p.17/34
Cryptographic Protocols
� The security of the scheme can be chosen to be a cryptosystembased on either the difficulty of the discrete logarithm problemOR the hardness of factoring.� The ElGamal cryptosystem (which relies on the difficulty of thediscrete logarithm problem) will be used for the security of theelection scheme because is has some nice properties that makeit easy to work with.
Security, Privacy, and Electronic Voting – p.18/34
ElGamal Review
� Review of the ElGamal Cryptosystem:�� is a 1024-bit prime�� is a 160-bit prime satisfying� �� � �
�� is an element of order�� Each participant in the system generates a key pair by picking arandom number � such that
��� � � � � and setting the privatekey equal to � and the public key
� �� �. Because of the
hardness of the discrete logarithm problem, no one is able tofind � given only
�
and� .
Security, Privacy, and Electronic Voting – p.19/34
Using ElGamal
� To encrypt a message � for a recipient with public key�
, onecomputes the ciphertext
� "! # � � $! � $� � , where % is arandom number
��� � % � � .� Benefit of ElGamal: since % is random for each encryption, theresult will be different each time (even for the same message).� To decrypt the ciphertext
"! # the recipient will use their
private key �: � � # &� �
.
Security, Privacy, and Electronic Voting – p.20/34
Homomorphic ElGamal
� The ElGamal cryptosystem can be easily modified to behomomorphic by setting � �� '
for a vote � in( �! � )
. (Thislimits voting to a yes-or-no scheme; more complicated versionsare possible for multi-way voting.)� Multiplying
� �! # � � � $*! � $* � � '* by �! # � � � $+! � $ + � � ' +
, we get �! # � �� � �! # � � � � �! # � � # � �� $* , $ +! � $* , $ + � � ' * , '+ ,
which is an ElGamal encryption of� '* , '+
.
Security, Privacy, and Electronic Voting – p.21/34
Simplified Overview of the Voting Scheme
� The two main stages for an election are as follows:1. Voting: Each voter
-/. submits a ballot of the form� .! # . � � $0! � $0 � � '0
, where � . 1 ( �! � )is the desired
vote and
�
is the (shared) public key of the talliers (more onthis later).
2. Tallying: The product of all submitted ballots,
. � 2� 3 0 $0! � 3 0 $0 � � 3 0 '0 4, is computed. The talliers
jointly decrypt the product, which yields the sum of thevotes, . � . , as the desired tally.� How is voter privacy ensured? Because no entity is ever in
possession of the decryption (private) key 5 that corresponds tothe talliers’ public key
�. The tally of the votes is decrypted
using a threshold cryptosystem.
Security, Privacy, and Electronic Voting – p.22/34
Threshold Cryptosystem
� Purpose: to share a private key among a set of entities such thatmessages can only be decrypted when a substantial set ofentities cooperate.� The main protocols of such a system are:� a key generation protocol to generate the private key jointly
by the receivers, and� a decryption protocol to jointly decrypt a ciphertext withoutexplicitly reconstructing the private key.
Security, Privacy, and Electronic Voting – p.23/34
Threshold Cryptosystem
� The result of the key generation protocol is that each tallier
687
will possess a share 5 7 1 9;: of a secret 5. The talliers arecommitted to these shares as the values
� 7 �� <= are madepublic.� The shares 5 7 are chosen such that the secret 5 can bereconstructed from any set
>
of
?shares:
(1) 5 � 7@ A 5 7 B 7DC A, where
B 7DC A � .@ AFE G 7 H .. E 7
� The public key
� �� <
is broadcast to all participants in thesystem; however, no single participant ever learns the secret 5.
Security, Privacy, and Electronic Voting – p.24/34
Decrypting the Ballots
� To decrypt a ciphertext
�! I � � J! � J� � withoutreconstructing the secret 5, the talliers execute the followingprotocol:� Each tallier
67 broadcasts K 7 � � <= and proves inzero-knowledge that log L � 7 � log � K 7 .� Let
>
denote any subset of
?authorities who passed the
zero-knowledge proof. By raising � to both sides ofequation (1), it follows that the plaintext can be recovered as� � I & 7@ A K M=ON P7 .
� Step 2 assures that the decryption is correct and successful evenif up to Q � ?
talliers are malicious or simply fail to execute theprotocol.
Security, Privacy, and Electronic Voting – p.25/34
Encryption and Proof of Validity of Ballot
� Too big to fit on slide!� The resulting proof of validity requires only a few modularexponentiations.
Security, Privacy, and Electronic Voting – p.26/34
Proof of knowledge for log R S T log U S
�
Prover VerifierV �! I � � J! � J W
K 1YX 9 :� "! # [Z � \! � \ ! #^]Z _ _ 1[X 9 :
%Z K �a` _ % ] � $ � � b
� $ � # I b
� In order to make the protocols non-interactive, the verifier willbe implemented using either a trusted source of random bits(i.e. a beacon) or using the Fiat-Shamir heuristic, whichrequires a hash function.
Security, Privacy, and Electronic Voting – p.27/34
Decrypting the Ballots
� Using the threshold cryptosystem outlined above, the mainsteps of the bulletin board voting protocol are now:� Voter
-. posts a ballot
� .! I . to the bulletin board(accompanied by a non-interactive proof of validity)� When the deadline is reached, the proofs of validity arechecked by the talliers and the productc ! d � e.gf � � .! e.gf � I . is formed� Finally, the talliers jointly execute the decryption protocol(outlined above) for
c ! d to obtain the value of� d &c <
. (A non-interactive proof of knowledge is usedin Step 1 of the decryption protocol)
Security, Privacy, and Electronic Voting – p.28/34
Final Tally
� As a result, we get � h i
, where
6
is equal to the differencebetween the number of yes-votes and no-votes, � j � � 6� � j
(where
j
is the total number of voters). Hence,6 � log k
which is, in general, considered hard to compute because of thediscrete logarithm problem.� But
6
must be computed, as it is the final tally of the votes!What to do?� The value of
6
can easily be determined by iterativelygenerating
h E e! hE e , �! hE e , �!l l l until is found. While thiswould normally be considered a naive brute-force approach tosolving a discrete logarithm, here it makes sense because
j
(thenumber of voters) is relatively small.
Security, Privacy, and Electronic Voting – p.29/34
Extension to Multi-way Elections
� Many elections require choosing between more than just twochoices.� There are multiple ways to solve this problem. One way(described below) keeps the size of the ballots constant, whileincreasing the size of the ballot’s proof of validity).� To get an election for a 1-out-of-
�choice, take
�
(independently generated) generators
h .! �m nm �
, andaccumulate the votes for each option separately.� The proof of ballot validity of a ballot
�! I now boilsdown to a proof of knowledge ofjpo� L � � j o� q I & h � sr � � � r jpo� L � � j o� q I & h .This automatically guarantees that the voter cannot vote formore than one option at a time, since the voter can onlygenerate this proof of validity for at most one generator
h . .Security, Privacy, and Electronic Voting – p.30/34
Extension to Multi-way Elections 2
� Computing the final tally is generally more complicated.� After decryption by the authorities, a number is obtainedthat represents the final tally, � h i*� � � � h iut , where the
6 . ’sform the result of the election.� Since
6 . v �
and
.gf � 6 . � j
, computation of the
6 . ’s isfeasible for reasonable values of
jand
�.
Security, Privacy, and Electronic Voting – p.31/34
Major Achievements
Three major achievmeents of the scheme:� 1) The work required of the voter is minimal.� 2) The protocol, as well as the time and communicationcomplexity for each voter, is independent of Q (the number ofauthorities/talliers).� 3) The new scheme can easily be extended using techniques for“proactive” threshold cryptosystems to leave the system (andits keys) in place for a really long time without fearing that thesecret key gets compromised.
Security, Privacy, and Electronic Voting – p.32/34
Problems with This Scheme
� Every participant requires a public-private key pair. Thisincludes the servers running a bulletin board, the talliers, andmost importantly, every single voter. The logistics ofgenerating/distributing key pairs for every voter in a secure androbust manner would be a nightmare.� Asymmetric cryptography (ElGamal) is more expensivecomputationally than the symmetric-key protocols being usedin current systems. This may not scale well to large elections.� Due to its use of electronic “receipts” (the encrypted anddigitally signed vote posted to the voter’s section of the bulletinboard), a third-party could force a voter to use a particularchoice for % for the encryption of the ballot. If this is done, thethird-party would then be able to coerce the voter to vote in aparticular way.
Security, Privacy, and Electronic Voting – p.33/34
Conclusions
� Some current implementations of electronic voting systems aresimply not secure enough to trust for something as important asour electoral process.� On the other hand, the current theoretical systems we haveexamined, while provably secure, may have problems withlogistics and matters of scale.
Security, Privacy, and Electronic Voting – p.34/34