Voting Security Overview

  • View
    1.729

  • Download
    1

Embed Size (px)

DESCRIPTION

A general talk on voting security, presented at IDC Herzliya, Israel, May 2009.

Text of Voting Security Overview

  • 1.(Electronic) Voting SecurityBen AdidaHarvard UniversityWorkshop on Electronic VotingIDC Herzliya17 May 2009

2. The Point of An Election 3. The Point of An Election The People have spoken....the bastards! Dick Tuck1966 Concession Speech 4. The Point of An Election The People have spoken....the bastards! Dick Tuck1966 Concession SpeechProvide enough evidenceto convince the loser. 5. quot;That's for me and abutton to know.quot;Joe, the plumber. 6. 5 7. 5 8. 5 9. 5 10. 5 11. 5 12. 5 13. 6 14. 6 15. Fashionable Voting http://www.cs.uiowa.edu/~jones/voting/pictures/7 16. Fashionable Voting http://www.cs.uiowa.edu/~jones/voting/pictures/7 17. Fashionable Voting http://www.cs.uiowa.edu/~jones/voting/pictures/7 18. Fashionable Voting http://www.cs.uiowa.edu/~jones/voting/pictures/7 19. Fashionable Voting http://www.cs.uiowa.edu/~jones/voting/pictures/7 20. Fashionable Voting http://www.cs.uiowa.edu/~jones/voting/pictures/7 21. Fashionable Voting http://www.cs.uiowa.edu/~jones/voting/pictures/7 22. Fashionable Voting8 23. Fashionable Voting8 24. Voting is a fundamentally difcult problem. 9 25. Wooten got the news from his wife, Roxanne, who went to City Hall on Wednesday to see the election results.quot;She saw my name with zero votes by it. She came home and asked me ifI had voted for myself or not.quot;10 26. 1412 27. 14 12 1 person, 1 vote 28. Enforced Privacy to ensure each votervotes in his/her own interest 12 29. http://www.cs.uiowa.edu/~jones/voting/pictures/ 13 30. 1892 - Australian Ballothttp://www.cs.uiowa.edu/~jones/voting/pictures/ 14 31. The Ballot HandoffMcCain Alice the Voter 17 32. The Ballot HandoffMcCain Alice the Voter 17 33. The Ballot HandoffMcCain Alice the Voter 17 34. The Ballot HandoffMcCain Alice the Voter 17 35. The Ballot HandoffMcCainObama ObamaObama McCain McCainMcCainAlice the Voter 17 36. The Ballot HandoffMcCain ObamaObama ObamaMcCainMcCain McCainAlice the VoterBlack Box17 37. Chain of Custody18 38. Chain of Custody /*1* source* code*/if (...Vendor18 39. Chain of Custody /*1* source* codeVoting 2*/ Machine if (...Vendor18 40. Chain of Custody/*1 * source * codePollingVoting*/3 2 Location Machineif (... Vendor 18 41. Chain of Custody/*1 * source * codePollingVoting*/3 2 Location Machineif (... Vendor 4Alice 18 42. Chain of Custody/*1 * source * codePollingVoting*/3 2 Location Machineif (... Vendor 4Alice 18 43. Chain of Custody/*1 * source * codePollingVoting*/3 2 Location Machineif (... Vendor 4Alice 5Ballot Box Collection18 44. Chain of Custody/*1 * source * codePollingVoting*/3 2 Location Machineif (... Vendor 4AliceResults5 6 .....Ballot Box Collection 18 45. Chain of Custody/*1 * source * codePollingVoting*/3 2 Location Machineif (... Vendor 4AliceResults5 6 .....Ballot Box Collection Black Box18 46. The Cost of Secrecy 47. The Cost of Secrecy 48. The Cost of Secrecy 49. The Cost of Secrecy 50. The Cost of Secrecy 51. But Secrecy is Important. Secret Ballot implemented in Chile in 1958. the secrecy of the ballot [...] hasrst-order implications for resource allocation, political outcomes, and social efciency.[BalandRobinson 2004] 52. Because we care about a meaningful result,weve made auditing very difcult.21 53. We are left chasing evidence of correctness.Meanwhile we destroy evidence on purpose.22 54. Obtaining Evidence/*1 * source * codePollingVoting*/3 2 Location Machineif (... Vendor 4AliceResults5 6 .....Ballot Box Collection 23 55. Obtaining Evidence/*1 * source * codePollingVoting*/3 2 Location Machineif (... Vendor- source code audit- Logic & Accuracy- Parallel Testing- Voter-Veried Paper Audit Trail 56. Obtaining EvidencePolling Location3 - Multiple poll watcherscompeting afliations - No personal 4Aliceelectronic devicesat the polling station - Logging all events 57. Obtaining Evidence - redundant counts - ballot box seals - statistical auditing by partial recountsResults 5 6 ..... Ballot Box Collection 58. Fragmented, Adversarialand Indirect - each piece of evidence covers a small segment of the chain. - attacker knows the checks, and can try to sneak in where the chain is not covered. - to maintain security and for practical purposes, the evidence is very indirect. 59. The Effect of DREs- More to audit - Errors can have disproportionate effects - Software is not just for speed/efciency, it becomes central for integrity. 60. Software Independencean undetected mistake in the system does not cause an undetectable error in the tally. 61. Can we getmore direct, more end-to-endevidence? 62. Secret Ballot vs.VeriabilityVoting System convinceAlice Carl the Coercer 31 63. Secret Ballot vs.VeriabilityVoting System convinceAliceCarl the Coercer [Chaum81], [Benaloh85], [PIK93], [BenalohTuinstra92], [SK94], [Neff2001], [FS2001], [Chaum2004], [Neff2004], [Ryan2004], [Chaum2005]Punchscan, Scantegrity I & II, Civitas, ThreeBallot, Prt--Voter, Scratch & Vote, ...31 64. Public BallotsBulletin BoardBob: McCain Carol:Obama32 65. Public BallotsBulletin BoardBob: McCain Carol:Obama Alice32 66. Public Ballots Bulletin Board Alice: Bob:Obama McCainCarol: Obama Alice 32 67. Public Ballots Bulletin Board Alice: Bob:Obama McCainCarol: ObamaTallyObama....2 McCain....1 Alice 32 68. Encrypted Public Ballots Bulletin BoardAlice:Bob:RiceClintonCarol:Rice Tally Obama....2McCain....1 Alice33 69. Encrypted Public BallotsBulletin BoardAlice: Bob:Rice Clinton Carol: Ali Ricece verTally iesherv Obama....2ote McCain....1 Alice 33 70. Encrypted Public BallotsBulletin BoardAlice:Bob:RiceClinton Carol: Alice Rice ta lly ver e thTally iesriesveherv eryoneote E vObama....2 McCain....1 Alice 33 71. End-to-End Verication 72. End-to-End Verication/* * source * code Voting*/Machineif (... Vendor Polling Location 73. End-to-End Verication /** source* code Voting */Machine if (...VendorBallot Box /Polling Bulletin Board Location Alice 74. End-to-End Verication /** source* code Voting */Machine if (...VendorBallot Box / ResultsPolling Bulletin Board Location ..... Alice 75. End-to-End Verication /** source* code Voting */Machine if (...VendorBallot Box / ResultsPolling Bulletin Board Location ..... 1 AliceReceipt 76. End-to-End Verication /** source* code Voting */Machine if (...VendorBallot Box / ResultsPolling Bulletin Board Location ..... 1 2 AliceReceipt 77. Open-AuditElections 78. Evidence-BasedElections 79. Questions? ben_adida@harvard.edu