Electronic Voting System

1
Electronic Voting System
Tadayoshi Kohno, Adam Stubblefield, Aviel D.
RubinDan S. Wallach IEEE Symp. On Security and
Privacy 2004 VoteHere System Analysis, Philip
Edward Varners thesis Advances in Cryptographic
Voting Systems, Ben Adida MIT Ph.D. Disseration
9/2006
2
Diebold System Analysis

• Tadayoshi Kohno, Adam Stubblefield, Aviel D.
  RubinDan S. Wallach IEEE Symp. On Security and
  Privacy 2004
• Present a security analysis of the source code of
  a paper less electronic voting system (Diebold). 
  
• Show this voting system far below even the most
  minimal security standards applicable in other
  context. (strong words)
• Problems include
• unauthorized privilege escalation,
• incorrect use of cryptography,
• vulnerabilities to network threats, and
• poor software development processes.
• They demonstrate that
• Voter can cast unlimited votes without being
  detected
• Insider Attacks
• Modify the votes
• Violate voter privacy by matching vote with
  voters.
• Better solution EVS with voter-verifiable audit
  trail (print a paper ballot that can be read and
  verified by voters.

3
VoteHere System Analysis

• Philip Edward Varners thesis.
• Some companies claimed online voting technical
  problems are solved, only political/sociological
  ones remained.
• Analyze VoteHere system, include attrack tree
  analysis/attacker models abuse cases

4
Related Literature

• Public Key Cryptography
• Homomorphic Encryption
• Zero Knowledge Proofs (Shamir How to share a
  Secret, CACM 79 paper).
• Cryptographic Voting Protocol

5
FOO92 Voting Scheme

• Requirements of a secure election
• Completeness All voters are counted correctly.
• Soundness A dishonest voter cannot disrupt
  voting
• Privacy All votes must be secret
• Unreusability no voter can vote twice
• Eligibility no one who isnt allowed to vote can
  vote
• Fairness nothing must affect the voting (DDoS?)
• Verifiability no one can falsify the result of
  voting.
• Validator and Counter

6
EAS College Voting System

• Can we trust EAS IT?
• For some non-critical, non-sensitive voting, vote
  integrity/convenient can be enforced with just
  EAS IT.
• Can we trust 3rd party server(s) to issue the
  votes, authenticate voters, and collect votes?
• Possibility of using campus IT servers, or other
  EAS lab servers.
• Should we separate voter authentication system
  (VAS) with vote counting system (VCS)?
• How to ensure the VAS does not talk to VCS?
• Assume open source, how to ensure code is not
  tempered during the voting period?

7
Voting

• Ancient Greece any politician got 6000 male
  landowner votes was exiled for 10 years!
• 13th century Medieval Venice introduce approval
  voting (thumb up/down)
• US 1st election were viva-voce voters sworn in
  and called out their preferences.
• Early 1800s paper ballots were introduced/generall
  y produced (pre-printed) by political parties,
  called party tickets
• 1858 Australia introduced secret ballot, printed
  by state, distributed to eligible voters, voted
  in isolated booth.

8
DRE Direct Recording by Electronic

• PC type equipment running special purpose voting
  software.
• Lack tamper-proof audit-trail.
• Bugs or malicious code may produce erroneous
  results/undetected.
• VVPAT Mercuri 1992 proposed Voter-Verified Paper
  Audit Trail. Print out a receipt visible to the
  voter behind the glass (not taken with voter!)
  voter gets to confirm or cancel her vote.
• VVPAT first time significant used in US 11/2006
  with 5 states expected to implement it.
  http//vote.nist.gov/032906VVPAT-jpw.pdf page 3

9
What Makes Voting So Hard?

• Verifiability vs. Secrecy
• Alice/Adrienne two voter
• Carl, a coercer wishes to influence Alice to vote
  Red.
• How to let Alice obtain enough info to personally
  verify her vote was indeed recorded as Blue but
  not so much info that she could convince Carl
  (selling vote).
• No incentive for Carl to pay for votes.
• Adversarial model for Airplane/ATM are less
  demanding than for a federal election.

10
Failure Detection/Recovery Process

• Those for Banks/Airplane failure are well
  understood.
• It is not clear failures in election can always
  be detected.
• Recovery often expensive or even impossible.

11
Incentive

• Influencing the outcome of a federal US election
  worth a lot of money.
• 2004 presidential campaign budget reaches 1B.

12
End-to-End Voting

• Figure 1-3 End-to-End Voting - only two
  checkpoints are required.
• The receipt obtained from a voters interaction
  with the voting machine is compared against the
  bulletin board and checked by the voter for
  correctness.
• (2) Any observer checks that only eligible voters
  cast ballots and that all tallying actions
  displayed on the bulletin board are valid.

13
End-to-End Verifiability (E2EV)

• Rather than completely auditing a voting
  machines code and ensuring that the voting
  machine is truly running the code in question,
  end-to-end voting verification checks the voting
  machines output only.
• Rather than maintain a strict chain-of-custody
  record of all ballot boxes, end-to-end voting
  checks tally correctness using mathematical
  proofs.
• Thus, the physical chain of custody is replaced
  by a mathematical proof of end-to-end behavior.
  Instead of verifying the voting equipment,
  end-to-end voting verifies the voting results.

14
Advantage of E2EV

• One need not be privileged to verify the election
• Any one can check the inputs/outputs against the
  mathematical proofs.
• Cryptography makes end-to-end voting verification
  possible.
• Encryption ? provide ballot secrecy
• Zero-knowledge proofs ? provide public auditing
  of the tallying process

15
Bulletin Board of Votes

• Cryptographic voting protocols revolve around a
  central, digital bulletin board.
• All messages posted to the bulletin board are
  authenticated.
• Any data written to the bulletin board cannot be
  erased or tampered with.
• Can be attacked by DDoS but there are known
  solutions.
• Name and ID of voters are posted in
  plaintext?eligibilty
• Voters nameencrypt(voters ballot) posted?no
  observer can tell what the voter chose.

16
Casting and Tallying Processes

• Casting process let Alice prepare her encrypted
  vote and cast it to the bulletin board.
• Tally process aggregates the encrypted votes and
  produce a decrypted tally, with proofs of
  correctness of this process posted to the
  bulletin board for all observers to see.
• Classical voting scheme performs complete/blind
  hand-off (drop in a box).
• Here cryptographic voting performs a controlled
  hand-off
• Individual can trace votes entry into the
  system.
• Any observer can verify the processing of these
  encrypted votes into an aggregated, decrypted
  tally.

17
Cryptographic Voting
18
Secret Voter Receipt

• To avoid vote selling/coercing, all current
  cryptographic voting schemes require that voters
  physically appear at a private, controlled
  polling location it is the only known way to
  establish a truly private interaction that
  prevents voter coercion.

Zero KnowledgeProofNeffs MarkPlege
19
Tallying the Ballots

• The secret key for decryption is shared among a
  number of election officials.
• Two major techniques
• Homomorphic encryption aggregation under the
  covers of encryption only aggregate tally needs
  decryption.
• Digital version of shaking the ballot box
  shuffled/scrambled multiple times by multiple
  parties, dissociated from voter ID, then decrypted

20
Randomize Threshold Public-Key Encryption

• All cryptographic voting systems use randomized
  threshold public-key encryption.
• The public-key property ensures that anyone can
  encrypt using a public key. The
  threshold-decryption property ensures that only a
  quorum of the trustees (more than the
  threshold), each with his own share of the
  secret key, can decrypt. ? Shamirs how to share
  a secret.
• In addition, using randomized encryption, a
  single plaintext, e.g. Blue, can be encrypted in
  many possible ways, depending on the choice of a
  randomization value selected at encryption time.
  ? avoid cipher attack

21
Tallying under the Covers of Encryption

• Using a special form of randomized public-key
  encryption called homomorphic public-key
  encryption, it is possible to combine two
  encryptions into a third encryption of a value
  related to the original two, i.e. the sum.
• For example, using only the public key, it is
  possible to take an encryption of x and an
  encryption of y and obtain an encryption of x
  y, all without ever learning x or y or x y.
• First proposed by Benaloh, vote are encrypted
  either 0 (Blue) or 1 (Red)
• In addition, a zero-knowledge proof is typically
  required for each submitted vote, in order to
  ensure that each vote is truly the encryption of
  0 or 1, and not, for example, 1000. Otherwise, a
  malicious voter could easily throw off the count
  by a large amount with a single ballot.

22
Homomorphic public-key encryption

• The entire homomorphic operation is publicly
  verifiable by any observer, who can simply
  re-compute it on his own using only the public
  key.
• Unfortunately, homomorphic voting does not
  support write-in votes well the encrypted
  homomorphic counters must be assigned to
  candidates before the election begins.

23
Shaking the Virtual Ballot Box

• A different form of tallying is achievable using
  a mixnet, as first described by Chaum 39
• In a mixnet, a sequence of mix servers, each one
  usually operated by a different political party,
  takes all encrypted votes on the bulletin board,
  shuffles and rerandomizes them according to an
  order and a set of randomization values kept
  secret, and posts the resulting set of
  ciphertexts back to the bulletin board.
• The next mix server then performs a similar
  operation, and so on until the last mix server.
• Then, all trustees cooperate to decrypt the
  individual resulting encryptions, which have, by
  now, been dissociated from their corresponding
  voter identity.
• Each mix server must provide a zero-knowledge
  proof that it performed correct mixing, never
  removing, introducing, or changing the underlying
  votes.

24
Mixnet vs. Homomorphic

• Mixnet is more difficult to operate? the
  re-encryption and shuffle processes must be
  executed on a trusted computing base, keeping the
  details of the shuffle secret from all others.
• Two important advantages of Mixnet
• the complete set of ballots is preserved for
  election auditing
• free-form ballots, including write-ins, are
  supported.