CSCI284 Spring 2005

1
Voting

• CSCI284 Spring 2005
• GWU

This telling influenced by Josh Benaloh and Sara
Robinson
2
Goals of an election

• Integrity each vote is correctly counted
• Anonymity a vote cannot be connected to a voter
  (without voter complicity)
• Involuntary privacy a voter cannot prove how she
  voted

3
Goals of an election

• Voter verifiability a voter can confirm that her
  vote was
• counted as cast and
• anonymous
• Public verifiability a member of the public can
  verify that the election has integrity, anonymity
  and involuntary privacy
• Robustness an individual cannot falsely charge
  that the above objectives were not achieved

4
Typical election participants and roles

• Voter requires that her vote is
• counted correctly and
• is anonymous.
• Polling Booth/Station
• correctly communicates votes
• ensures voter anonymity
• ensures only legitimate voters vote
• ensures each voter votes only once

5
Typical election participants contd.

• Trustees ensure that votes are counted correctly
  and anonymously after leaving polling booth
• Independent Third Parties observe and ensure
  process is followed at polling booth
• Auditor/Certification Authority certifies
  election results were determined as specified
• Public follow election process as much as
  possible

6
Anonymity and Integrity
7
Anonymity and Integrity

• Either
• hide the voter (e.g. Chaum MIXnet (1981)) or
• hide the vote (Benaloh Homomorphic Secret
  Sharing)
• all through the process.
• Both require more than one trustee
• Inspired by Electronic Voting Schemes (Zuzana
  Rjaskova, MSc thesis, 2003)

8
Hide the voter A single MIX
EKiEKi1EKn(m1)
EKi1EKn(m?(1))
MIX i Decryption shuffle
EKiEKi1EKn(m2)
EKi1EKn(m?(2))
EKiEKi1EKn(mk)
EKi1EKn(m?(k))
9
Hide the voter MIXnet Many consecutive
MIXesrun by trustees in e-voting
Count decrypted votes
Trustee n (MIX n)
Trustee 1 (MIX 1)
Trustee 2 (MIX 2)
.
10
Hide the vote Homomorphic Secret Sharing

• Use a secret sharing scheme where
• the sum of the shares are shares of the sum of
  the secrets (votes)
• vi ? (si1, si2, siN)
• ?i1K vi ? (?i1K si1, ?i1K si2, ?i1K siN)
• And a public key cryptosystem where
• encrypted values of the sum of shares can be
  computed from encrypted values of the shares
• (Ej(s1j), Ej(s2j), Ej(sKj)) ? Ej(?i1K si1)

11
Hide the vote Each trustee calculates a share
of the sum

• Each voter splits her vote into a share each for
  the N trustees
• vi ? (si1, si2, siN)
• She encrypts each share with the public key of
  the corresponding trustee Ej(sij) and sends it
• Each trustee computes its share of the sum of the
  votes
• (Ej(s1j), Ej(s2j), Ej(sKj)) ? Ej(?i1K si1) ?
  ?i1K si1
• Anyone can compute the sum of the votes from the
  shares
• (?i1K si1, ?i1K si2, ?i1K siN) ? ?i1K vi

12
Can show both methods provide anonymity and
integrity

• Homomorphic secret sharing as described
  previously requires the existence of a secure
  homomorphic encryption scheme El Gamal is
  thought to be one such
• Another option is for the voter to send to each
  trustee the vote encrypted with a share of a key,
  so that trustees get together to obtain the vote.
  RSA is thought to be capable of providing the
  homomorphic properties for this.

13
Voter Verifiability
The system so far
Trustees Counting, anonymity
14
Voter verifiability

• Challenge allow the voter to keep a record of
  her vote so she can
• determine that it was counted as cast (voter
  verifiability)
• yet not prove how she voted (involuntary privacy)
• Further, this record ought to be on paper, so as
  to allow processing of the vote in case of
  failure of the electronic systems

15
Paper Record Solution (Chaum, Neff)

• Encrypted paper receipts which can be decrypted
  only by a subset of trustees
• Example the encrypted vote that is input to the
  MIXnet
• Example the encrypted shares sent to individual
  trustees using homomorphic encryption

16
How does the voter know the encryption decrypts
to her vote?

• Chaum solution Provide two, symmetric, encrypted
  paper ballots such that
• One ballot on top of the other provides the
  decrypted ballot
• The voter chooses which ballot to take away
• Each ballot has, before the voter chooses,
  printed commitments the encrypted versions of
  both ballots for the trustees, and a serial
  number
• After the voter chooses, the seed for the
  encrypted version

17
Public Verifiability
The system so far
Trustees Counting, anonymity
Voter-verified Encrypted Vote
Polling Booth
Store link between vote and serial number?
18
Public verifiability

• The polling booth needs to be checked to
  determine it is
• Communicating votes correctly (including no
  ballot stuffing)
• Not retaining copies of votes linked to voter (or
  voter sequence)
• Issuing valid receipts
• The trustees need to be audited to determine that
  they are following the decryption/counting/anonymi
  zing process.

19
Polling booth check obtained by

• Posting all receipts to be counted at a publicly
  accessible place, such as a website
• Voters or their representatives can check the
  presence of their receipts
• Voters, Interested Third Parties and Auditors can
  check commitments to ensure that each receipt was
  appropriately generated by the Polling Booth

20
Need participation

• Need a minimum number of checks of both
• receipt presence (only possible through voter
  participation) and
• receipt accuracy (does not require voter
  participation)
• to ensure a given probability that all votes
  posted were correctly generated
• Without these checks, voting is not less accurate
  than that of any electronic system without checks
• Might be less accurate than a mechanical/physical
  system which requires more effort to break?

21
Trustee check obtained by auditing
22
Robustness
23
Signed Receipts

• The entire receipt is digitally signed by the
  polling booth
• This prevents voters from generating false
  receipts to claim a rigged election