SLIDE 1
Scratch & Vote:
Self-Contained Paper-Based Cryptographic Voting
Ben Adida Ronald L. Rivest
Scratch & Vote : Self-Contained Paper-Based Cryptographic - - PowerPoint PPT Presentation
Scratch & Vote : Self-Contained Paper-Based Cryptographic - - PowerPoint PPT Presentation
Scratch & Vote : Self-Contained Paper-Based Cryptographic Voting Ben Adida Ronald L. Rivest 30 October 2006 The Next Harvard Pres! Chain of Custody Chain of Custody 1 /* * source * code */ if (... Vendor Chain of Custody 1 /* *
SLIDE 2
SLIDE 3
The Next Harvard Pres!
SLIDE 4
Chain of Custody
SLIDE 5
Chain of Custody
Vendor
/* * source * code */ if (...
1
SLIDE 6
Chain of Custody
Voting Machine 2
Vendor
/* * source * code */ if (...
1
SLIDE 7
Chain of Custody
Voting Machine 2
Vendor
/* * source * code */ if (...
1 Polling Location 3
SLIDE 8
Chain of Custody
Voting Machine 2
Vendor
/* * source * code */ if (...
1 Polling Location 3 4
Alice
SLIDE 9
Chain of Custody
Voting Machine 2
Vendor
/* * source * code */ if (...
1 Polling Location 3 4
Alice
SLIDE 10
Chain of Custody
Voting Machine 2
Vendor
/* * source * code */ if (...
1 Polling Location 3 Ballot Box Collection 5 4
Alice
SLIDE 11
Chain of Custody
Voting Machine 2
Vendor
/* * source * code */ if (...
1 Polling Location 3 Ballot Box Collection 5 Results ..... 6 4
Alice
SLIDE 12
Chain of Custody
Voting Machine 2
Vendor
/* * source * code */ if (...
1 Polling Location 3 Ballot Box Collection 5 Results ..... 6 4
Alice
VVPAT
SLIDE 13
End-to-End
SLIDE 14
End-to-End
Polling Location Voting Machine
Vendor
/* * source * code */ if (...
SLIDE 15
End-to-End
Polling Location Voting Machine
Vendor
/* * source * code */ if (...
Ballot Box / Bulletin Board
Alice
SLIDE 16
End-to-End
Polling Location Voting Machine
Vendor
/* * source * code */ if (...
Ballot Box / Bulletin Board
Alice
Results .....
SLIDE 17
End-to-End
Polling Location Voting Machine
Vendor
/* * source * code */ if (...
Receipt 1 Ballot Box / Bulletin Board
Alice
Results .....
SLIDE 18
End-to-End
Polling Location Voting Machine
Vendor
/* * source * code */ if (...
Receipt 1 2 Ballot Box / Bulletin Board
Alice
Results .....
SLIDE 19
End-to-End
Polling Location Voting Machine
Vendor
/* * source * code */ if (...
Receipt 1 2 Ballot Box / Bulletin Board
Alice
Results .....
Cryptographic Voting
SLIDE 20
End-to-End
Polling Location Voting Machine
Vendor
/* * source * code */ if (...
Receipt 1 2 Ballot Box / Bulletin Board
Alice
Results .....
Cryptographic Voting Open-Audit Voting
SLIDE 21
Properties of OAV
(1) Alice verifies her vote. (2) Everyone verifies tallying. (3) Alice cannot be coerced by Eve.
SLIDE 22
A Bulletin Board
Bulletin Board
Bridget: Clinton Carol: Rice
SLIDE 23
A Bulletin Board
Bulletin Board
Bridget: Clinton Carol: Rice
Alice
SLIDE 24
A Bulletin Board
Bulletin Board
Alice: Rice Bridget: Clinton Carol: Rice
Alice
SLIDE 25
A Bulletin Board
Bulletin Board
Alice: Rice Bridget: Clinton Carol: Rice
Tally Rice.........2 Clinton...1
Alice
SLIDE 26
An Encrypted Bulletin Board
Bulletin Board
Alice: Rice Bridget: Clinton Carol: Rice
Tally Rice.........2 Clinton...1
Alice
SLIDE 27
Verification Ballot Data Flow
SLIDE 28
Verification Ballot Data Flow
Encrypted Votes
Alice Bridget
encryption
SLIDE 29
Verification Ballot Data Flow
Encrypted Votes
Alice Bridget
encryption
SLIDE 30
anonymization
Verification Ballot Data Flow
Encrypted Votes
Alice Bridget
encryption
SLIDE 31
decryption anonymization
Verification Ballot Data Flow
Encrypted Votes
Alice Bridget
encryption
SLIDE 32
decryption anonymization
Results Tally
Verification Ballot Data Flow
Encrypted Votes
Alice Bridget
encryption
SLIDE 33
decryption anonymization
Results Tally
Registration Database
Verification Ballot Data Flow
Encrypted Votes
Alice Bridget
encryption
SLIDE 34
The Need for Simple
SLIDE 35
The Need for Simple
- Too complicated = disenfranchisement.
voter experience needs to be almost as simple as it is today
SLIDE 36
The Need for Simple
- Too complicated = disenfranchisement.
voter experience needs to be almost as simple as it is today
- Intuitive enough for officials to adopt
SLIDE 37
The Need for Simple
- Too complicated = disenfranchisement.
voter experience needs to be almost as simple as it is today
- Intuitive enough for officials to adopt
- But... let’s not expect everyone to
understand everything.
SLIDE 38
Continuing the Simplicity Trend
- Chaum’s Punchscan
- Ryan’s Prêt-à-Voter
- Benaloh’s “simple cryptographic voting”
SLIDE 39
Scratch-and-Vote Experience
SLIDE 40
_______ _______ _______ _______ Charlie Adam Bob David _______ _______ _______ _______ Bob Charlie David Adam
- 1. Receive two ballots.
SLIDE 41
- 2. Choose one randomly
for auditing by scratch-off.
_______ _______ _______ _______ Charlie Adam Bob David
r1 r2 r3 r4
Charlie Adam Bob David
SLIDE 42
_______ _______ _______ _______ Bob Charlie David Adam
- 3. Vote.
SLIDE 43
Charlie Bob David Adam Charlie Bob Adam David Adam Bob Charlie David
Bob Charlie David Adam _______ _______ _______ _______
- 4. Tear & Discard
left half of ballot.
SLIDE 44
_______ _______ _______ _______
Scan & take home
- 5. Tear & Discard
scratch-off.
SLIDE 45
Tallying
SLIDE 46
Bulletin Board
Alice Bridget Carol
_______ _______ _______ _______ _______ _______ _______ _______ _______ _______ _______ _______
SLIDE 47
PARAMETERS #1 - Adam #2 - Bob #3 - Charlie #4 - David M=28, Key = pk
_______ _______ _______ _______ Bob Charlie David Adam
r1 r2 r3
Epk(228; r1) Epk(256; r2) Epk(284; r3) Epk(20; r4) H(pk) r4
SLIDE 48
Vote for Adam Vote for Bob Vote for Charlie 0000 0001 0000 0000 0001 0000 0000 0000 0000 0000 0000 0001 Vote for David 0000 0000 0001 0000 0004 0001 0008 0002 Sample Tally
[B+2001, P1999]
Homomorphic Tallying
SLIDE 49
Proof of Ballot (NIZK)
SLIDE 50
Proof of Ballot (NIZK)
- Malicious
Voter submits: Enc(1000)
SLIDE 51
Proof of Ballot (NIZK)
- Malicious
Voter submits: Enc(1000)
- in S&V, ciphertexts are picked ahead of time
SLIDE 52
Proof of Ballot (NIZK)
- Malicious
Voter submits: Enc(1000)
- in S&V, ciphertexts are picked ahead of time
- but... what if election officials collude with a
voter to throw the election with a bad ballot?
SLIDE 53
Proof of Ballot (NIZK)
- Malicious
Voter submits: Enc(1000)
- in S&V, ciphertexts are picked ahead of time
- but... what if election officials collude with a
voter to throw the election with a bad ballot?
- election officials must prepare proofs of
correct ballot form ahead of time, on bulletin board (~80K per full ballot).
SLIDE 54
Practical Considerations
- Ballot
Verification: less than a second.
- Barcode Encoding: PDF417 open standard.
- Barcode Size: 10 square inches of barcode for
a full sheet visual ballot.
- Proof Time: ~3 seconds per ballot.
5 questions, 5 options per question.
SLIDE 55
Limitations
- Write-in
Votes: not supported
- Take-Home Receipt: not currently legal
SLIDE 56
Scratch & Vote
- Personal Verification: scratch and verify
- Open-Audit: anyone can verify the tally
- Incoercible: voting booth & encryption
- Simple: common & cheap tech, process is
close to current voting.
SLIDE 57