Cryptography and Voting Ben Adida Harvard University EVT & WOTE August 11th, 2009 Montreal, Canada
“If you think cryptography is the solution to your problem.... 2
... then you don’t understand cryptography... 3
... then you don’t understand cryptography... ... and you don’t understand your problem.” -Peter, Butler, Bruce 3
Yet, cryptography solves problems that initially appear to be impossible. 4
There is a potential paradigm shift. A means of election verification far more powerful than other methods. 5
Three Points 1. Voting is a unique trust problem. 2. Cryptography is not just about secrets, it creates trust between competitors, it democratizes the auditing process. 3. Open-Audit Voting is closing in on practicality. 6
1. Voting is a unique trust problem. 7
“Swing Vote” terrible movie. hilarious ending. 8
Wooten got the news from his wife, Roxanne, who went to City Hall on Wednesday to see the election results. "She saw my name with zero votes by it. She came home and asked me if I had voted for myself or not." 9
10
11
Bad Analogies Dan Wallach’s great rump session talk. More than that ATMs and planes are vulnerable (they are, but that’s not the point) It’s that voting is much harder. 12
Bad Analogies Adversaries ➡ pilots vs. passengers (airline is on your side, I think.) ➡ banking privacy is only voluntary: you are not the enemy. Failure Detection & Recover ➡ plane crashes & statements vs. 2% election fraud ➡ Full banking receipts vs. destroying election evidence Imagine ➡ a bank where you never get a receipt. ➡ an airline where the pilot is working against you. 13
Ballot secrecy conflicts with auditing, cryptography can reconcile them. 14
15 http://www.cs.uiowa.edu/~jones/voting/pictures/
16
1 /* * source * code */ if (... Vendor 16
1 /* * source * code Voting */ 2 Machine if (... Vendor 16
1 /* * source * code Polling Voting */ 3 2 Location Machine if (... Vendor 16
1 /* * source * code Polling Voting */ 3 2 Location Machine if (... Vendor 4 Alice 16
1 /* * source * code Polling Voting */ 3 2 Location Machine if (... Vendor 4 Alice 16
1 /* * source * code Polling Voting */ 3 2 Location Machine if (... Vendor 4 Alice 5 Ballot Box Collection 16
1 /* * source * code Polling Voting */ 3 2 Location Machine if (... Vendor 4 Alice Results 5 6 ..... Ballot Box Collection 16
1 /* * source * code Polling Voting */ 3 2 Location Machine if (... Vendor 4 Alice Results 5 6 ..... Ballot Box Collection Black Box 16
Chain of Custody
Chain of Custody
Chain of Custody
Chain of Custody
Chain of Custody
Initially, cryptographers re-created physical processes in the digital arena. 18
Then, a realization: cryptography enables a new voting paradigm Secrecy + Auditability. 19
20
Public Ballots Bulletin Board Bob : McCain Carol : Obama 21
Public Ballots Bulletin Board Bob : McCain Carol : Obama Alice 21
Public Ballots Bulletin Board Alice : Bob : Obama McCain Carol : Obama Alice 21
Public Ballots Bulletin Board Alice : Bob : Obama McCain Carol : Obama Tally Obama....2 McCain.... 1 Alice 21
Encrypted Public Ballots Bulletin Board Alice : Bob : Rice Clinton Carol : Rice Tally Obama....2 McCain.... 1 Alice 22
Encrypted Public Ballots Bulletin Board Alice : Bob : Rice Clinton Carol : Alice verifies her vote Rice Tally Obama....2 McCain.... 1 Alice 22
Encrypted Public Ballots Bulletin Board Alice : Bob : Rice Clinton Carol : Everyone verifies the tally Alice verifies her vote Rice Tally Obama....2 McCain.... 1 Alice 22
End-to-End Verification
End-to-End Verification /* * source * code Voting */ Machine if (... Vendor Polling Location
End-to-End Verification /* * source * code Voting */ Machine if (... Vendor Ballot Box / Bulletin Board Polling Location Alice
End-to-End Verification /* * source * code Voting */ Machine if (... Vendor Results Ballot Box / Bulletin Board Polling ..... Location Alice
End-to-End Verification /* * source * code Voting */ Machine if (... Vendor Results Ballot Box / Bulletin Board Polling ..... Location 1 Alice Receipt
End-to-End Verification /* * source * code Voting */ Machine if (... Vendor Results Ballot Box / Bulletin Board Polling ..... Location 1 2 Alice Receipt
Democratizing Audits Each voter is responsible for checking their receipt (no one else can.) Anyone, a voter or a public org, can audit the tally and verify the list of cast ballots. Thus, OPEN-AUDIT Voting. 24
2. Cryptography is not just about secrets, creates trust between competitors. 25
NO! Increased transparency when some data must remain secret. 26
So, yes, we encrypt, and then we operate on the encrypted data in public, so everyone can see. In particular, because the vote is encrypted, it can remain labeled with voter’s name. 27
“Randomized” Encryption 28
“Randomized” Encryption Keypair consists of a public key and a secret key . pk sk 28
“Randomized” Encryption Keypair consists of a public key and a secret key . pk sk Enc pk "Obama" 8b5637 28
“Randomized” Encryption Keypair consists of a public key and a secret key . pk sk Enc pk "Obama" 8b5637 Enc pk "McCain" c5de34 28
“Randomized” Encryption Keypair consists of a public key and a secret key . pk sk Enc pk "Obama" 8b5637 Enc pk "McCain" c5de34 Enc pk "Obama" a4b395 28
Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. 8b5637 29
Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk 1 b739cb 8b5637 29
Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk 1 b739cb Dec sk 2 261ad7 8b5637 29
Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk 1 b739cb Dec sk 2 261ad7 8b5637 Dec sk 3 7231bc 29
Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk 1 b739cb Dec sk 2 261ad7 8b5637 Dec sk 3 7231bc Dec sk 4 8239ba 29
Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk 1 b739cb Dec sk 2 261ad7 8b5637 "Obama" Dec sk 3 7231bc Dec sk 4 8239ba 29
Homomorphic Encryption 30
Homomorphic Encryption Enc ( m 1 ) × Enc ( m 2 ) = Enc ( m 1 + m 2 ) 30
Homomorphic Encryption Enc ( m 1 ) × Enc ( m 2 ) = Enc ( m 1 + m 2 ) 30
Homomorphic Encryption Enc ( m 1 ) × Enc ( m 2 ) = Enc ( m 1 + m 2 ) g m 1 × g m 2 = g m 1 + m 2 30
Homomorphic Encryption Enc ( m 1 ) × Enc ( m 2 ) = Enc ( m 1 + m 2 ) g m 1 × g m 2 = g m 1 + m 2 then we can simply add “under cover” of encryption! 30
Mixnets c = Enc pk 1 ( Enc pk 2 ( Enc pk 3 ( m ))) Each mix server “unwraps” a layer of this encryption onion. 31
Proving certain details while keeping others secret. Proving a ciphertext encodes a given message without revealing its random factor. 32
Zero-Knowledge Proof 33
Zero-Knowledge Proof President : President : Mickey Mouse President : Mickey Mouse President : Mickey Mouse President : Mickey Mouse President : Mickey Mouse Vote For : Mickey Mouse Obama Vote For : Obama 33
Zero-Knowledge Proof President : President : Mickey Mouse President : Mickey Mouse President : Mickey Mouse President : Mickey Mouse President : Mickey Mouse Vote For : Mickey Mouse Obama Vote For : Obama This last envelope likely contains “Obama” 33
Zero-Knowledge Proof President : President : President : President : Mickey Mouse Mickey Mouse President : President : Mickey Mouse Mickey Mouse President : President : Mickey Mouse Mickey Mouse President : President : Mickey Mouse Mickey Mouse President : President : Mickey Mouse Mickey Mouse Vote For : Vote For : Mickey Mouse Mickey Mouse McCain Obama Paul Open envelopes don’t prove anything after the fact. 34
Electronic Experience Voter interacts with a voting machine Obtains a freshly printed receipt Alice Voting Machine that displays the encrypted ballot Encrypted Vote Takes the receipt home and uses it as a tracking number. Receipts posted for public tally. 35
Recommend
More recommend