Privacy and fairness in a variant of Prt--voter Ben Smyth and - - PowerPoint PPT Presentation

Privacy and fairness in a variant of Prêt-à-voter

Ben Smyth and Mark Ryan

School of Computer Science The University of Birmingham

Electronic voting currently

• Electronic voting is eagerly being taken up by

governments and other organisations the world over.

– The situation in the USA

• Proprietary system, with weak security properties. “15 year old in

garage could manufacture cards and sell them on the internet that would allow multiple votes” [Avi Rubin]

• “I voted party p1 and the system said `Thank you, we have recorded

your vote for party p2.’ ” (Radio phone-ins, websites)

• Allegations of involvement of equipment supplier with a political party

– The situation in Estonia

• Internet voting offered to entire electorate
• Authentication by smart cards
• Re-voting allowed, to combat coercion

Desirable properties of voting systems

• Desired properties of electronic voting systems

– Eligibility: only eligible voters can vote, and only once. – Fairness: no early results can be obtained which could

influence the remaining voters.

– Privacy: no-one can link a voter and her vote. – Receipt-freeness: no receipt or other artifact is issued

which would enable voter to prove how she voted.

– Coercion-resistance: a voter cannot convince a coercer

that she voted how he instructed.

Desirable properties of voting systems

• Some other properties

– Individual verifiability: a voter can verify that her vote

was counted.

– Universal verifiability: a voter can verify that the

published result is the tally of the votes cast.

– Robustness: Voters cannot disrupt the election.

Faulty behaviour tolerated.

– Vote-and-go: Voters participate in one session.

• A voting scheme designed by

Chaum / P.Ryan / Schneider

– Ballot papers have candidates listed in

a random rotation of the official list

– An onion encodes the offset needed

to cycle back to the correct order

– At vote time, the left-hand strip is

detached and destroyed

– The right-hand strip is given to the first

• f a series of Tellers
• each one decrypts a layer of the onion and

computes a component of the offset

• then hands it on to the next one

Prêt-à-voter

Candidate Put X David Tony Menzies Caroline Arthur 7rJ#94iU

Prêt-à-voter

Alice T2k-2

{ }

{ }

{ }

1 2 2 2 3 2 1

... , , ..., , ,

1 2 2 1 2

− − −

                =

− −

k k k

T T T T T k k

D g g g g

• nion

T2k-4 T2 T0 Administrator

• nion
• nion

mix subtr decr / / v 

V g h g h

• ffset

k

mod ) ( ... ) (

1 2

+ + =

−

• ffset

v

• ffset +
• ni
• ff

mix subtr decr / / mix subtr decr / / m s d / /

Corrupt election officials

• Voting systems should be designed to work securely even if the

election officials are corrupt

– Fairness: results cannot be released before election closes. – Privacy: no-one can link a voter and her vote. – Coercion-resistance: a voter cannot convince a coercer that

she voted how he instructed.

• PaV fails to satisfy these properties

– The authority that issues the ballot papers can reveal the

vote without the need of the tellers (breaking fairness)

– And it can link the ballot paper with the published results

(breaking privacy and coercion-resistance)

Fixing PaV

• In PaV, the onion is constructed by the authority
• The authority can link onion and offset, and therefore compute

the vote from the info posted on the bulletin board. Hence privacy (and therefore coercion-resistance) and fairness fail.

• Even if the voter constructs the onion, coercion resistance fails.

She can prove an onion (and hence a vote) is hers by demonstrating knowledge of the germs gi. From these, the onion and the corresponding offset can be constructed.

{ }

{ }

{ }

1 2 2 2 3 2 1

... , , ..., , ,

1 2 2 1 2

− − −

                =

− −

k k k

T T T T T k k

D g g g g

• nion

Better fix for PaV

• The voter constructs an onion with help from the tellers

{ }

{ }

{ }

1 2 2 2 3 2 1

... , , ..., , ,

1 2 2 1 2

− − −

                =

− −

k k k

T T T T T k k

D c c c c

• nion

T0 {g0

0} T0

{g0

1} T1

{g0

2} T2

. . .

T1 {g1

0} T0

{g1

1} T1

{g1

2} T2

. . .

• 1

T2 {g2

0} T0

{g2

1} T1

{g2

2} T2

. . .

• 2

T3 {g3

0} T0

{g3

1} T1

{g3

2} T2

. . .

• 3

. . . . . . . . . c0 c1 c2

Better fix for PaV

• No-one knows all the gij ‘s, and no-one (except the voter) knows the offset. The voter can

show the coercer how to reconstruct the onion, but she can’t convince him about the offset.

1 2 2 2 3 2 1 1 2 2 1 2

... , } { , } { ..., , } { , } {

1 2 1 , 1 2 2 2 , 1 2 1 2 , 1 2

− − − − −

                                              ∏ ∏ ∏ ∏

− = − = − − = − − =

k k k k k

T T T T T T k i T i k i T k i k i T k i k i

D g g g g

Properties of fixed PaV

• Privacy
• Fairness
• Coercion-resistance holds except that the voter can

prove to the last teller how she voted. (Can probably be fixed too!)

P.Ryan / Peacock variant

• Also a solution which relies on distributing the

construction of the ballot.

– so that the relation between the ballot and the

• ffset is not learned by any entity.

Candidate Put X David Tony Menzies Caroline Arthur 7rJ94iU Candidate Put X hY7^8FG 7rJ94iU Candidate Put X hY7^8FG 7rJ94iU

• In the UK?
• In the USA?
• What about Zimbabwe?

Do we need privacy and coercion-resistance