Cryptography and Voting Ben Adida Harvard University EVT & - - PowerPoint PPT Presentation

Cryptography and Voting

Ben Adida Harvard University EVT & WOTE August 11th, 2009 Montreal, Canada

“If you think cryptography is the solution to your problem....

2

... then you don’t understand cryptography...

3

... then you don’t understand cryptography...

3

... and you don’t understand your problem.”

• Peter, Butler, Bruce

Yet, cryptography solves problems that initially appear to be impossible.

4

There is a potential paradigm shift. A means of election verification far more powerful than other methods.

5

Three Points

6

• 1. Voting is a unique trust problem.
• 2. Cryptography is not just about secrets,

it creates trust between competitors, it democratizes the auditing process.

• 3. Open-Audit Voting

is closing in on practicality.

1. Voting is a unique trust problem.

7

“Swing Vote” terrible movie. hilarious ending.

8

Wooten got the news from his wife, Roxanne, who went to City Hall on Wednesday to see the election results. "She saw my name with zero votes by it. She came home and asked me if I had voted for myself or not."

9

10

11

12

Bad Analogies

Dan Wallach’s great rump session talk. More than that ATMs and planes are vulnerable (they are, but that’s not the point) It’s that voting is much harder.

13

Bad Analogies

Adversaries

➡ pilots vs. passengers (airline is on your side, I think.) ➡ banking privacy is only voluntary:

you are not the enemy.

Failure Detection & Recover

➡ plane crashes & statements vs. 2% election fraud ➡ Full banking receipts vs. destroying election evidence

Imagine

➡ a bank where you never get a receipt. ➡ an airline where the pilot is working against you.

Ballot secrecy conflicts with auditing, cryptography can reconcile them.

14

http://www.cs.uiowa.edu/~jones/voting/pictures/

15

16

Vendor

/* * source * code */ if (...

1

16

Voting Machine 2

Vendor

/* * source * code */ if (...

1

16

Voting Machine 2

Vendor

/* * source * code */ if (...

1 Polling Location 3

16

Voting Machine 2

Vendor

/* * source * code */ if (...

1 Polling Location 3 4

Alice

16

Voting Machine 2

Vendor

/* * source * code */ if (...

1 Polling Location 3 4

Alice

16

Voting Machine 2

Vendor

/* * source * code */ if (...

1 Polling Location 3 Ballot Box Collection 5 4

Alice

16

Voting Machine 2

Vendor

/* * source * code */ if (...

1 Polling Location 3 Ballot Box Collection 5 Results ..... 6 4

Alice

16

Voting Machine 2

Vendor

/* * source * code */ if (...

1 Polling Location 3 Ballot Box Collection 5 Results ..... 6 4

Alice

Black Box

16

Chain of Custody

Chain of Custody

Chain of Custody

Chain of Custody

Chain of Custody

18

Initially, cryptographers re-created physical processes in the digital arena.

19

Then, a realization: cryptography enables a new voting paradigm Secrecy + Auditability.

20

Bulletin Board

Public Ballots

Bob: McCain Carol: Obama

21

Bulletin Board

Public Ballots

Bob: McCain Carol: Obama

Alice

21

Bulletin Board

Public Ballots

Alice: Obama Bob: McCain Carol: Obama

Alice

21

Bulletin Board

Public Ballots

Alice: Obama Bob: McCain Carol: Obama

Tally Obama....2 McCain.... 1

Alice

21

Encrypted Public Ballots

Bulletin Board

Alice: Rice Bob: Clinton Carol: Rice

Tally Obama....2 McCain.... 1

Alice

22

Encrypted Public Ballots

Bulletin Board

Alice: Rice Bob: Clinton Carol: Rice

Tally Obama....2 McCain.... 1

Alice

Alice verifies her vote

22

Encrypted Public Ballots

Bulletin Board

Alice: Rice Bob: Clinton Carol: Rice

Tally Obama....2 McCain.... 1

Alice

Alice verifies her vote Everyone verifies the tally

22

End-to-End Verification

End-to-End Verification

Polling Location Voting Machine

Vendor

/* * source * code */ if (...

End-to-End Verification

Polling Location Voting Machine

Vendor

/* * source * code */ if (...

Ballot Box / Bulletin Board

Alice

End-to-End Verification

Polling Location Voting Machine

Vendor

/* * source * code */ if (...

Ballot Box / Bulletin Board

Alice

Results .....

End-to-End Verification

Polling Location Voting Machine

Vendor

/* * source * code */ if (...

Receipt 1 Ballot Box / Bulletin Board

Alice

Results .....

End-to-End Verification

Polling Location Voting Machine

Vendor

/* * source * code */ if (...

Receipt 1 2 Ballot Box / Bulletin Board

Alice

Results .....

Democratizing Audits

24

Each voter is responsible for checking their receipt (no one else can.) Anyone, a voter or a public org, can audit the tally and verify the list of cast ballots. Thus, OPEN-AUDIT Voting.

2. Cryptography is not just about secrets, creates trust between competitors.

25

NO! Increased transparency when some data must remain secret.

26

So, yes, we encrypt, and then we operate on the encrypted data in public, so everyone can see. In particular, because the vote is encrypted, it can remain labeled with voter’s name.

27

“Randomized” Encryption

28

“Randomized” Encryption

Keypair consists of a public key and a secret key .

sk pk

28

“Randomized” Encryption

Keypair consists of a public key and a secret key .

sk pk

"Obama" 8b5637

Encpk

28

“Randomized” Encryption

Keypair consists of a public key and a secret key .

sk pk

"Obama" 8b5637

Encpk

c5de34

Encpk

"McCain"

28

“Randomized” Encryption

Keypair consists of a public key and a secret key .

sk pk

"Obama" 8b5637

Encpk

c5de34

Encpk

"McCain"

a4b395

Encpk

"Obama"

28

Threshold Decryption

8b5637

Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt.

29

Threshold Decryption

8b5637 b739cb

Decsk1

Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt.

29

Threshold Decryption

8b5637 b739cb

Decsk1

261ad7

Decsk2

Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt.

29

Threshold Decryption

8b5637 b739cb

Decsk1

261ad7

Decsk2

7231bc

Decsk3

Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt.

29

Threshold Decryption

8b5637 b739cb

Decsk1

261ad7

Decsk2

7231bc

Decsk3

8239ba

Decsk4

Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt.

29

Threshold Decryption

8b5637 b739cb

Decsk1

261ad7

Decsk2

7231bc

Decsk3

8239ba

Decsk4

Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt.

"Obama"

29

Homomorphic Encryption

30

Homomorphic Encryption

30

Enc(m1) × Enc(m2) = Enc(m1 + m2)

Homomorphic Encryption

30

Enc(m1) × Enc(m2) = Enc(m1 + m2)

Homomorphic Encryption

30

Enc(m1) × Enc(m2) = Enc(m1 + m2)

gm1 × gm2 = gm1+m2

Homomorphic Encryption

30

then we can simply add “under cover” of encryption! Enc(m1) × Enc(m2) = Enc(m1 + m2)

gm1 × gm2 = gm1+m2

Mixnets

31

Each mix server “unwraps” a layer of this encryption onion.

c = Encpk1 (Encpk2 (Encpk3 (m)))

Proving certain details while keeping others secret. Proving a ciphertext encodes a given message without revealing its random factor.

32

Zero-Knowledge Proof

33

Zero-Knowledge Proof

Vote For: Obama

President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse

Vote For: Obama

33

Zero-Knowledge Proof

This last envelope likely contains “Obama”

Vote For: Obama

President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse

Vote For: Obama

33

Zero-Knowledge Proof

Open envelopes don’t prove anything after the fact.

President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse

Vote For: Obama

President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse

Vote For: Paul

34

McCain

Electronic Experience

35

Voter interacts with a voting machine Obtains a freshly printed receipt that displays the encrypted ballot Takes the receipt home and uses it as a tracking number. Receipts posted for public tally.

Alice Voting Machine

Encrypted Vote

Paper Experience

36

Pre-print paper ballots with some indirection betw candidate and choice Break the indirection (tear, detach) for effective encryption Take receipt home and use it as tracking number. Receipts posted for public tally.

q r m x Adam - x Bob - q Charlie - r David - m q r m x

8c3sw

Adam - x Bob - q Charlie - r David - m

8c3sw

q r m x

8c3sw

8c3sw

David Adam Bob Charlie _______ _______ _______ _______ David Adam Bob Charlie _______ _______ _______ _______

8c3sw

3. Cryptography-based Voting (Open-Audit Voting) is closing in on practicality.

37

Benaloh Casting

38

Benaloh Casting

38

Alice

Benaloh Casting

38

Alice "Obama"

Benaloh Casting

38

Alice

Encrypted Ballot

"Obama"

Benaloh Casting

38

Alice

Encrypted Ballot

Alice "Obama"

Benaloh Casting

38

"AUDIT" Alice

Encrypted Ballot

Alice "Obama"

Benaloh Casting

38

"AUDIT" Alice

Encrypted Ballot

Alice

Decrypted Ballot

"Obama"

Benaloh Casting

38

"AUDIT" Alice

Encrypted Ballot

Alice

Decrypted Ballot Decrypted Ballot Encrypted Ballot VERIFICATION

"Obama"

Benaloh Casting

38

"AUDIT" Alice

Encrypted Ballot

Alice

Decrypted Ballot Decrypted Ballot Encrypted Ballot VERIFICATION

"Obama"

Benaloh Casting

38

"AUDIT" Alice

Encrypted Ballot

Alice

Decrypted Ballot Decrypted Ballot Encrypted Ballot VERIFICATION

"Obama"

Benaloh Casting

38

"AUDIT" Alice

Encrypted Ballot

Alice

Decrypted Ballot

Alice

Decrypted Ballot Encrypted Ballot VERIFICATION

"Obama"

Benaloh Casting

38

"AUDIT" Alice

Encrypted Ballot

Alice

Decrypted Ballot

Alice "CAST"

Decrypted Ballot Encrypted Ballot VERIFICATION

"Obama"

Benaloh Casting

38

"AUDIT" Alice

Encrypted Ballot

Alice

Decrypted Ballot

Alice "CAST"

Signed Encrypted Ballot Decrypted Ballot Encrypted Ballot VERIFICATION

"Obama"

Benaloh Casting

38

"AUDIT" Alice

Encrypted Ballot

Alice

Decrypted Ballot

Alice "CAST"

Signed Encrypted Ballot

Alice

Decrypted Ballot Encrypted Ballot VERIFICATION

"Obama"

Benaloh Casting

38

"AUDIT" Alice

Encrypted Ballot

Alice

Decrypted Ballot

Alice "CAST"

Signed Encrypted Ballot

Alice

Signed Encrypted Ballot Decrypted Ballot Encrypted Ballot VERIFICATION

"Obama"

Many more great ideas

Neff’s MarkPledge

➡ high-assurance, human-verifiable, proofs of correct encryption

Scantegrity

➡ closely mirrors opscan voting

ThreeBallot by Rivest

➡ teaching the concept of open-audit without deep crypto

STV: Ramchen, Teague, Benaloh & Moran.

➡ handling complex election styles

Prêt-à-Voter by Ryan et al.

➡ elegant, simple, paper-based

39

Deployments!

UCL (25,000 voters) Scantegrity @ Takoma Park SCV

40

Three Points

41

• 1. Voting is a unique trust problem.
• 2. Cryptography is not just about secrets,

it creates trust between competitors, it democratizes the auditing process.

• 3. Open-Audit Voting

is closing in on practicality.

My Fear: computerization of voting is inevitable. without open-audit, the situation is grim.

42

My Hope: proofs for auditing partially-secret processes will soon be as common as public- key crypto is now.

43

Challenge:

44

Ed Felten: “you have no voter privacy, deal with it.”

Challenge:

44

Ed Felten: “you have no voter privacy, deal with it.”

Questions?

45