Cambridge

1
Prêt à VoterPractical, Voter-verifiable
Elections

Peter Y A Ryan University of Newcastle upon Tyne
2
Outline

• The problem.
• Voter-verifiability.
• Outline of Prêt à Voter Classic
• Prêt à Voter with re-encryption mixes
• Vulnerabilities and counter-measures

3
The Problem

• From the start it was recognised that people
  would be tempted to try to corrupt the outcome of
  democratic processes.
• The Ancient Greeks experimented with primitive
  technological solutions to try to shift the
  trust from people to mechanical devices.
• In the US they have been using technological
  devices for voting for over a century level
  machines since 1887 (or thereabouts), due to high
  levels of fraud with paper ballots. Edison
  patented an electronic voting device around that
  time.

4
The Computer Ate my Vote

• In this years presidential election, 30 of the
  electorate were using DRE, touch screen devices.
• Aside from the thank you for your vote for
  Kerry, have a nice day what assurance do they
  have that their vote will be accurately counted?
• What do you do if the vote recording and counting
  process is called into question?

5
The Mercuri Method

• Rebecca Mercuri and others have been advocating
  having DRE machines generate a paper audit trail.
• Voters get to see the paper record under glass
  and if they confirm it gets dropped in a ballot
  box.
• A.k.a. Voter Verifiable Paper Audit Trails VVPAT
  
• This seems to help but has problems of its own.

6
Technological solutions

• Digital voting technologies hold out promise of
  accessible and efficient democracy.
• But there are dangers, witness the fiascos in the
  US.
• Want high assurance that all votes are accurately
  recorded and counted-whilst maintaining ballot
  secrecy.
• The challenge is to reconcile these two
  conflicting requirements whilst minimising
  dependence on the components (booths, tellers
  etc.) of the scheme.
• Difficulty in validating an election correct
  outcome not known due to secrecy requirement.

7
Technical Requirements

• Key requirements
• Integrity/accuracy count (sufficiently)
  accurately reflects votes cast.
• Ballot secrecy the way a voter cast their vote
  should only be known to the voter.
• Voter verifiability the voter should be able to
  confirm that their vote is accurately included in
  the count and prove to a 3rd party if it is not
  (whilst not revealing their vote).
• Coercion resistance there should be no way for
  the voter to prove to a coercer which way they
  voted.
• Availability all eligible voters should be able
  to cast their vote without let or hindrance
  throughout the voting period.
• Ease of use, public trust, etc. etc..

8
Remote vs Supervised

• We need to draw a clear distinction between
  supervised and remote voting.
• In the former the voter casts their vote in
  enforced isolation, e.g., in a booth in a polling
  station.
• Remote voting, e.g., internet, such isolation
  cannot be enforced.
• Hence dangers of coercion.

9
Hazards of e-voting!
10
Assumptions

• For the purposes of the case study we will make
  many sweeping assumptions, e.g.,
• An accurate electoral register is maintained.
• Mechanisms are in place to ensure that voters can
  be properly authenticated.
• Mechanisms are in place to prevent double voting.
• Existence of a secure Web Bulletin Board.
• Etc.
• Note Prêt à Voter Classic is supervised rather
  than remote.

11
Voter-verifiability in a nutshell

• Voters are provided with an encrypted receipt
  and are able to verify the decryption in the
  booth.
• Copies of the receipts are posted to a secure web
  bulletin board. Voters can verify that their
  (encrypted) receipt is correctly posted.
• Tellers perform a robust anonymising mix on the
  batch of posted receipts, revealing the decrypted
  votes at the end.
• Checks are performed at each stage to detect any
  attempt to decouple the encryption on the receipt
  from the decryption performed by the tellers.

12
Prêt à Voter

• Uses pre-prepared ballot forms that encode the
  vote in familiar form (an ? against the chosen
  candidate).
• The candidate list is (independently) randomised
  for each ballot form.
• Information allowing the candidate list to be
  reconstructed is buried cryptographically in an
  onion on each ballot form.
• An excess number of forms are generated to allow
  for random auditing, before, during and after the
  election.

13
Example (single candidate choice)

• Each ballot form has a unique, secret, random
  seed s
• For each form, a permutation of the candidate
  list is computed as a publicly known function of
  this seed.
• The seed information is buried cryptographically
  using public keys of a number of tellers in an
  onion printed on the form.
• The seed can only be extracted by the collective
  actions of tellers, or suitable subset if a
  threshold scheme is used.

14
Typical Ballot Sheet
Epicurus
Democritus
Aristotle
Socrates
Plato
rJ9mn4R8
15
Voter marks their choice
Epicurus
Democritus ?
Aristotle
Socrates
Plato
rJ9mn4R8
16
Voters Ballot Receipt

?



rJ9mn4R8
17
Voter casts her vote

• Once the voter has made their choice, the LH
  strip is detached and discarded.
• RH strip constitutes the receipt which is fed
  into a device that reads the information on the
  right hand strip.
• Note the device does not learn the voters
  choice.
• The device will transmit a digital copy of the
  receipt to a central server, as a pair (r,
  Onion), for posting to the web bulletin board.
• The original RH strip is returned to Anne
  (digitally signed and franked).
• Here r (?Zv ) is the index value that encodes the
  position of the ?.

18
Remarks

• Note that the receipt reveals nothing about the
  vote.
• The onion carries the crypto seed, encrypted with
  the tellers public keys, that (a subset of) the
  tellers use to reconstruct the permutation of the
  candidate list.
• Without all of these secret keys (or an
  appropriate subset) the candidate list cannot be
  reconstructed and hence the vote value cannot be
  recovered.
• Vote is not directly encrypted, rather the frame
  of reference, i.e., the candidate list, is
  randomised and information defining the frame is
  encrypted.
• A VVPAT style mechanism can be incorporated.
• Works for ranked, STV etc.

19
Anonymisation and tabulation

• Once the election has closed and all receipts
  have been posted to the WBB, a set of tellers
  perform a robust anonymising mix on the receipts
• Receipts are decrypted by stages and undergo
  multiple secret shuffles. Intermediate stages are
  also posted to the WBB for audit.
• Tellers transform the r index value. The final
  r values that emerge from the mix give the raw
  vote value in the canonical basis.
• Any link between the original receipts and the
  decrypted values will be lost.

20
Seeds and offsets

• Suppose that we have k tellers. Each teller has
  two public key pairs. For each ballot form 2k
  random germs are generated
• gi,?ZN (some modest size N, e.g., 232)
• The seed value is taken to be the sequence of
  these germ g values
• Seed g0, g1, g2v, g3, ..... , g2k-1

21
Onion construction

• The germs are buried in the 2k layers of the
  onion
• D0 is a random value, unique to each ballot form.
  Then
• Di1 gi ,Di,PKTi, , i 0,., 2k-1
• Onion D2k
• Thus
• Onion g2k-1 ,g2k-1 ,..,g2,g1,g0, D0
  PKT_0 PKT_1 PKT_2..PKT_2k-2 PKT_2k-2
  PKT_2k-1

22
Candidate permutations

• These germs are used as keys for a random
  permutation function for each teller mix
• ?i f(gi), i0 through 2k-1
• The candidate list permutation ? is computed as
  the product of the 2k permutations computed above
  applied to the basis ordering ?0 to give the
  candidate order ? shown on the ballot form
• ? ? i02k-1 ?i??0

23
Basis ordering ?0

• We assume some canonical, basis ordering ?0 from
  which all the permuted orderings on the ballot
  forms are derived by applications of the
  permutation functions derived from the hidden
  seed values
• ?0
• Aristotle
• Democritus
• Epicurus
• Plato
• Socrates

24
Teller transformations

• Transformations on the ballot pairs
• On each ballot pair (ri, Di), the teller performs
  the transformation
• (ri, Di) ? (ri-1, Di-1)
• Recall
• DiSKTi-1 gi-1 ,Di-1
• And
• ri-1 f(gi-1) -1 (ri)
• Thus, one layer of onion is striped off and the
  revealed germ is used to compute the inverse of
  the ith permutation, which is applied to the
  index value.
• The final pair, (r0, D0) comprises the index
  value that represents the vote value in the basis
  ordering ?0 along with the inner onion value.

25

Batch 1
Batch 2
Batch 3
Teller 1
Teller 1'
26
What can go wrong

• For the accuracy requirement
• Ballot forms may be incorrectly constructed,
  leading to incorrect decryption of the vote.
• Ballot receipts could be corrupted before they
  are entered in the tabulation process.
• Tellers may perform the decryption incorrectly.
• We now discuss the counter-measures to these
  threats.

27
Checking the ballot forms

• We need to check that the seed buried in the
  onion does correspond to the candidate
  permutation shown on the ballot form.
• Checks can be performed by auditors and the
  voters to catch such corruption
• Random audits of ballot forms performed before,
  during and after the election period by the
  Electoral Reform Soc etc.
• Voters could also be invited to perform similar
  checks on randomly selected dummy forms. For
  example, voters could be invited to randomly
  select a pair of forms, one to check, one to cast
  their vote.

28
Auditing ballot forms

• To check the construction of the ballot forms the
  values on the form, onion and candidate ordering,
  can be reconstructed if the seed value is
  revealed.
• One of the innovations of Prêt à Voter is to use
  the tellers in an on-demand mode to reveal the
  secret seed value buried in the onion. Avoids
  problems with storing and selectively revealing
  seeds.
• Note, for this checking process, the tellers are
  used in an on-demand basis before and during the
  election-quite different to the batch mode for
  the anonymising mix after the election has closed.

29
Ballot form checking modes

• In fact, this oracle teller mode suggests several
  ways for voters to check the well-formedness of
  ballot forms
• Simple, single dummy vote
• Multiple or ranked dummy vote
• Given the onion value, the tellers return the
  candidate ordering
• Note vulnerable to authority/tellers collusion
  attacks.
• The auditor checks are the more rigorous not
  vulnerable to authority/teller collusions.

30
Recording and transmission

• To check that receipts are accurately recorded
  and input into the mix
• Voters can visit the WBB and check that their
  receipt appears correctly recorded.
• Voter checks can be supplemented by independent
  audit authorities checking the WBB against the
  VVPAT style record of ballot receipts.

31
Auditing the tellers

• Partial Random Checking of the teller
  transformations auditor randomly selects half
  the of the links to be revealed and checked, but
  in such a way as not to reveal any links across
  the two transformations performed by the teller.
• Go down middle WBB column for each teller and
  randomly assign ? or ? to each pair.
• For a ?(?), the tellers reveal the outgoing
  (incoming) link along with the associated
  re-encryption randomisation values.
• Note because no complete paths across a given
  tellers pair of mixes are revealed by the audit
  process, we can audit the tellers independently.

32
Auditing the tellers
Teller 1
Teller 1'
33
Advantages of Prêt à Voter

• Voter experience simple and familiar.
• No need for voters to have personal keys or
  computing devices.
• Ballot form commitments and checks made before
  election opens ? neater recovery strategies.
• The vote recording device doesnt get to learn
  the vote.
• Votes are not directly encrypted, just the frame
  of reference.
• Highly flexible.
• Works nicely for alternative voting systems, SVT,
  approval, ranked etc.
• Adaptable to remote voting (see Clarkson et al).

34
Enhancements

• Re-encryption mixes
• Distributed generation of ballot forms.
• Concealment of onion/candidate list associations.
• Separation of teller modes.

35
Re-encryption mixes

• Prêt à Voter Classic uses Chaumian (decryption)
  mixes.
• Alternatives
• re-encryption mixes.
• Homomorphism schemes etc.
• Advantages of re-encryption
• Tellers inject fresh entropy at each stage, hence
  onion size doesnt grow with number of tellers
  and germ size.
• Less dependence on availability of tellers a
  faulty mix teller can just be binned and
  replaced.
• Full mixing over the El Gamal group.
• Clean separation of mixing and decryption stages.
• Mixes and audits can be rerun afresh.
• Downsides
• Need shuffle commitments.
• Tricky to mesh with Prêt à Voters special
  encoding of votes.

36
Re-encryption mixes

• Prêt à Voters rather special representation of
  the vote in the receipts makes it tricky to mesh
  with re-encryption mixes. Some possible
  approaches
• Leave r, index terms unchanged through the mixes.
• Follow re-encryption mixes with Chaumian
  decryption mixes.
• Absorb the r into the onion value.
• transform both r and D terms leaving vote value
  invariant
• Add teller transforms to the index values,
  storing the entropy in an extra (pre-generated
  and audited) onion value.
• Use zero-knowledge/crypto-homomorphism approaches.

37
Discussion

• Option 1 allows the adversary to partition the
  mix according the index value, but might be okay
  where the number of voters vastly exceeds the
  number of ballot options.
• Option 2 again the re-encryption mix can be
  partitioned. Might be a reasonable compromise.
• Options 3 and 4 seems to work nicely but appears
  to necessitate malleable encryption for the terms
  that move through the mix.
• Option 5 works but looses conceptual simplicity
  (e.g., need to mix by value and by position
  separately)
• Option 6 promising, but seems to loose the
  conceptual simplicity of the PRC approach, and
  perhaps the linear scaling properties.

38
El Gamal encryption

• El Gamal encryption
• let ? be a generator of cyclic group Zp, p a
  large prime. Choose k (2?k?p-2) and let ? ?k
  (mod p).
• p, ? and ? made public, k kept secret.
• (Randomised encryption) of m in 0, , p-1
• (?x, ?x.m) (y1, y2)
• Re-encryption
• (?xy, ?xy.m)
• Note same as directly encrypting m with
  randomisation xy.
• Decryption
• m y2 /y1k

39
Re-encryption mixes

• Work in a similar way to decryption mixes
  described earlier
• Each mix teller takes in a batch of receipts
  encrypted with El-Gamal. For each it performs a
  re-encryption, choosing a different
  re-randomisation for each.
• It posts the resulting re-encrypted, shuffled
  ballots to the next column of the WBB.
• Mixes are followed by a (threshold) decryption
  stage.
• Afterwards, PRC can be performed in a similar way
  to that described earlier.
• Chaum-Pederson style ZK proofs of shuffles also
  seem possible with ElGamal onions.

40
Option 3

• For simplicity we will assume just random cyclic
  shifts of the candidate list.
• Let s be the candidate list offset. Encrypt ?-s
  in the El Gamal pair to form the onion.
• (?x, ?x. ?-s) (y1, y2)
• A receipt pair can be transformed to
• (r, ?x, ?x. ?-s) ? (?x, ?x. ?r-s)
• This can be put through a conventional
  re-encryption mix and the final decryption yields
  the vote value directly.
• Need slight elaboration for full permutations.
• Note for STV, ranked etc, we can mix the ballot
  cells separately.

41
Discussion

• Is the malleability of the onion terms
  problematic?
• Malleability of terms flowing through the mix
  seems not to be a problem from the accuracy point
  of view.
• From a secrecy point of view, it seems that it
  should be possible to perform a reduction style
  proof to the DH problem.
• Still need to ensure that ballot receipts are
  non-malleable. Digital signatures appear to
  achieve this.

42
Prêt à Voter Vulnerabilities

• Chain voting.
• Authority knowledge of ballot form information.
• Enforcing the destruction of LH strips.
• Separation of teller modes.

43
Chain Voting

• Effective against many conventional voting
  systems
• Coercer smuggles a blank ballot form out of the
  polling station and
• Marks it with their preferred candidate.
• They intercept a voter entering the polling
  station, hand them the marked up form and tell
  them that if they emerge from the station with a
  fresh, unmarked form they will be rewarded.
• Return to step 2.

44
Counter-measures

• In a system like the UK system in which voters
  are given a ballot form when they register and
  are them observed to cast the form in the ballot
  box, this can be quite effective if the voter
  emerges with a fresh, blank form it is a strong
  indication that they cast the coercers marked
  form.
• For a conventional system, a possible
  counter-measure is to use a system along the
  lines of the French system Ballot forms are not
  controlled, only their casting.
• Ballot forms are freely available at the polling
  station.
• Choice made in a booth by inserting ballot of
  choice in an envelope.
• Voters register when they cast their vote, in an
  envelope.

45
Chain voting and Prêt à Voter

• Particularly virulent with WBB systems. Above
  counter-measure fails.
• Note
• Voters dont need sight of the onion value in
  order to make their selection.
• casting an encrypted ballot can be in the
  presence of a voting official.
• Hence, possible countermeasures
• Conceal the onion under a scratch strip.
• Official checks scratch strip is intact at time
  of casting.
• Also need to check that form used to cast
  corresponds to the forms given to the voter when
  they register.
• Handling ballot forms in sealed envelopes also
  helps.
• Cryptographic analogues, e.g., crypto commitments
  to onion values.
• On demand printing of ballot forms-but harder to
  audit.

46
Distributed creation of ballots

• In Prêt à Voter Classic, the entities that create
  and handle the ballot forms must be trusted to
  keep onion/candidate lists secret.
• Countermeasures
• Create pairs on entangled onions (same seed).
  Conceal one under a scratch card (or
  cryptographically) and perform a pre-mix on the
  pairs.
• Have the tellers translate the exposed onions
  into candidate lists.
• Random audit the resulting forms.
• Cast encrypted receipts in presence of an
  official and reveal the onion value at this
  point.
• Further possibilities
• Mirror, robust pre-mix on entangled onions (run
  Plaintext Equivalence Tests (PET) the entangled
  onion pairs and PRC the mix)
• Just in time candidate lists.
• Just in time onions.
• Multiple entangled onions (independently reveal
  candidate lists for n-1)
• Plenty of possibilities, some adaptable to remote
  contexts.

47
Entangled onions

• ((?x, ?x. ?s), (?y, ?? y. ?s))
• Where ?? ?k?
• These pairs are put through a set of
  re-encryption anonymising mixes
• ((?x?, ?x?. ?s), , (?y?, ?? y?. ?s))
• Tellers can then decrypt the first onion to give
  the candidate permutation
• (?, (?y?, ?? y?. ?s))
• At the time of casting a layer of encryption can
  be stripped off the onion to give
• (?, (?y??, ?y??. ?s))

48
Destruction of LH strips

• For coercion resistance it is essential that
  voters not be able to exit the polling station
  with the LH strip.
• Countermeasures
• Procedural officials oversee destruction of LH
  strips.
• Mechanical device that automatically strips off
  the LH strip and discards it.
• Decoy strips plentiful supply of alternative LH
  strips provided in the booth.
• Scratch strips onion under the strip (in 2D bar
  code?) candidate list overprinted revealing the
  onion destroys the list.
• Disc ballots!? Ballot forms take the form of a
  pair of discs sealed together. After selection
  they are separated. Axial symmetry ensures that
  the original configuration is lost.
• Quantum!? Ballot forms using entangled q-bits.
  Measurement to reveal candidate lists collapses
  the wave functions.

49
Confusion of tellers modes

• Essential that any onion can be processed at most
  once.
• Allow on-demand teller mode only during the
  pre-election phase. Ensure that all audited
  ballot as destroyed.
• Procedural/Mechanical any processed form is
  invalidated to prevent reuse.
• Cryptographic, e.g., authentication codes that
  are destroyed when the onion is used.
• Just in time candidate lists revealed only at
  the time that the voter makes their selection.

50
Remote Prêt à Voter

• Naïve step casting vote by just submitting an
  onion and index value.
• More sophisticated, coercion resistant version (à
  la Clarkson, Myers) supply voters with a token,
  onion and encrypted candidate list.
• Tokens constructed like onions but with valid
  flag at the centre.
• Coerced voter can corrupt their token. Invalidity
  only revealed after the anonymising mixes.
• Designated verifier proofs to convince voters of
  the validity of their token.

51
Chaums Bingo Dauber scheme

• Presented at FEE 2005.
• Uses pen and paper and Prêt à Voters randomised
  candidate list (actually two per form, cf
  symmetrised proto-Prêt à Voter, WITS 2005 ).
• Used two layers rather than strips and bingo
  dauber to mark both sheets simultaneously
  through holes in upper layer.
• Retains voter cut and choose element.

52
Future work

• On the current model
• Determine exact requirements.
• Formal analysis and proofs.
• Construct threat and trust models.
• Investigate error handling and recovery
  strategies.
• Develop a full, socio-technical systems analysis.
• Develop prototypes and run trials, e.g., e-voting
  games!
• Investigate public understanding and trust.

53
Future work

• Beyond the current scheme
• Alternative sources of seed entropy Voters,
  optical fibres in the paper,?
• Protocols for distributed and on-demand
  generation and checking of ballot forms, e.g.,
  authenticated onion establishment.
• (Threshold) schemes to thwart collusion attacks
  on checking modes.
• Alternative robust mixes, e.g., ZK shuffle
  proofs.
• Adaptation to coercion resistant remote voting
  (e.g., Cornell work).

54
Acknowledgements

• With thanks to
• David Chaum
• Michael Clarkson
• James Heather
• Michael Jackson
• Thea Peacock
• Brian Randell
• Ron Rivest
• Steve Schneider
• Jeroen van der Graf
• and many others.

55
References

• David Chaum, Secret-Ballot receipts True
  Voter-Verifiable Elections, IEEE Security and
  Privacy Journal, 2(1) 38-47, Jan/Feb 2004.
• J W Bryans P Y A Ryan A Dependability Analysis
  of the Chaum Voting Scheme, Newcastle Tech
  Report CS-TR-809, 2003.
• J W Bryans P Y A Ryan, Security and Trust in a
  Voter-verifiable Election Scheme, FAST 2003.
• P Y A Ryan J W Bryans A Simplified Version of
  the Chaum Voting Scheme, Newcastle TR 2004
• P Y A Ryan, Towards a Dependability Case for the
  Chaum Voting Scheme, DIMACS June 2004.
• P Y A Ryan, E-voting, presentation to the
  Caltech/MIT workshop on voting technology, MIT
  Boston 1-2 October 2004.
• P Y A Ryan, A Variant of the Chaum
  Voter-verifiable Election scheme, WITS, 10-11
  January 2005 Long Beach Ca.
• D Chaum, P Y A Ryan, S A Schneider, A Practical,
  Voter-Verifiable Election Scheme, Newcastle TR
  880 December 2004, Proceedings ESORICS 2005, LNCS
  3679.
• B Randell, P Y A Ryan, Trust and Voting
  Technology, NCL CS Tech Report 911, June 2005,
  to appear IEEE Security and Privacy Magazine.
• P Y A Ryan, T Peacock, Prêt à Voter, A Systems
  Perspective, NCL CS Tech Report 929, September
  2005, submitted to IEEE Security and Privacy
  Symposium 2006.
• Frontiers of Electronic Elections, FEE 2005,
  http//www.win.tue.nl/berry/fee2005/
• Clarkson and Myers, Coercion-resistant Remote
  Voting using Decryption Mixes, at FEE 2005.