Title: Electronic Voting System
1Electronic Voting System
Tadayoshi Kohno, Adam Stubblefield, Aviel D.
RubinDan S. Wallach IEEE Symp. On Security and
Privacy 2004 VoteHere System Analysis, Philip
Edward Varners thesis Advances in Cryptographic
Voting Systems, Ben Adida MIT Ph.D. Disseration
9/2006
2Diebold System Analysis
- Tadayoshi Kohno, Adam Stubblefield, Aviel D.
RubinDan S. Wallach IEEE Symp. On Security and
Privacy 2004 - Present a security analysis of the source code of
a paper less electronic voting system (Diebold).
- Show this voting system far below even the most
minimal security standards applicable in other
context. (strong words) - Problems include
- unauthorized privilege escalation,
- incorrect use of cryptography,
- vulnerabilities to network threats, and
- poor software development processes.
- They demonstrate that
- Voter can cast unlimited votes without being
detected - Insider Attacks
- Modify the votes
- Violate voter privacy by matching vote with
voters. - Better solution EVS with voter-verifiable audit
trail (print a paper ballot that can be read and
verified by voters.
3VoteHere System Analysis
- Philip Edward Varners thesis.
- Some companies claimed online voting technical
problems are solved, only political/sociological
ones remained. - Analyze VoteHere system, include attrack tree
analysis/attacker models abuse cases
4Related Literature
- Public Key Cryptography
- Homomorphic Encryption
- Zero Knowledge Proofs (Shamir How to share a
Secret, CACM 79 paper). - Cryptographic Voting Protocol
5FOO92 Voting Scheme
- Requirements of a secure election
- Completeness All voters are counted correctly.
- Soundness A dishonest voter cannot disrupt
voting - Privacy All votes must be secret
- Unreusability no voter can vote twice
- Eligibility no one who isnt allowed to vote can
vote - Fairness nothing must affect the voting (DDoS?)
- Verifiability no one can falsify the result of
voting. - Validator and Counter
6EAS College Voting System
- Can we trust EAS IT?
- For some non-critical, non-sensitive voting, vote
integrity/convenient can be enforced with just
EAS IT. - Can we trust 3rd party server(s) to issue the
votes, authenticate voters, and collect votes? - Possibility of using campus IT servers, or other
EAS lab servers. - Should we separate voter authentication system
(VAS) with vote counting system (VCS)? - How to ensure the VAS does not talk to VCS?
- Assume open source, how to ensure code is not
tempered during the voting period?
7Voting
- Ancient Greece any politician got 6000 male
landowner votes was exiled for 10 years! - 13th century Medieval Venice introduce approval
voting (thumb up/down) - US 1st election were viva-voce voters sworn in
and called out their preferences. - Early 1800s paper ballots were introduced/generall
y produced (pre-printed) by political parties,
called party tickets - 1858 Australia introduced secret ballot, printed
by state, distributed to eligible voters, voted
in isolated booth.
8DRE Direct Recording by Electronic
- PC type equipment running special purpose voting
software. - Lack tamper-proof audit-trail.
- Bugs or malicious code may produce erroneous
results/undetected. - VVPAT Mercuri 1992 proposed Voter-Verified Paper
Audit Trail. Print out a receipt visible to the
voter behind the glass (not taken with voter!)
voter gets to confirm or cancel her vote. - VVPAT first time significant used in US 11/2006
with 5 states expected to implement it.
http//vote.nist.gov/032906VVPAT-jpw.pdf page 3
9What Makes Voting So Hard?
- Verifiability vs. Secrecy
- Alice/Adrienne two voter
- Carl, a coercer wishes to influence Alice to vote
Red. - How to let Alice obtain enough info to personally
verify her vote was indeed recorded as Blue but
not so much info that she could convince Carl
(selling vote). - No incentive for Carl to pay for votes.
- Adversarial model for Airplane/ATM are less
demanding than for a federal election.
10Failure Detection/Recovery Process
- Those for Banks/Airplane failure are well
understood. - It is not clear failures in election can always
be detected. - Recovery often expensive or even impossible.
11Incentive
- Influencing the outcome of a federal US election
worth a lot of money. - 2004 presidential campaign budget reaches 1B.
12End-to-End Voting
- Figure 1-3 End-to-End Voting - only two
checkpoints are required. - The receipt obtained from a voters interaction
with the voting machine is compared against the
bulletin board and checked by the voter for
correctness. - (2) Any observer checks that only eligible voters
cast ballots and that all tallying actions
displayed on the bulletin board are valid.
13End-to-End Verifiability (E2EV)
- Rather than completely auditing a voting
machines code and ensuring that the voting
machine is truly running the code in question,
end-to-end voting verification checks the voting
machines output only. - Rather than maintain a strict chain-of-custody
record of all ballot boxes, end-to-end voting
checks tally correctness using mathematical
proofs. - Thus, the physical chain of custody is replaced
by a mathematical proof of end-to-end behavior.
Instead of verifying the voting equipment,
end-to-end voting verifies the voting results.
14Advantage of E2EV
- One need not be privileged to verify the election
- Any one can check the inputs/outputs against the
mathematical proofs. - Cryptography makes end-to-end voting verification
possible. - Encryption ? provide ballot secrecy
- Zero-knowledge proofs ? provide public auditing
of the tallying process
15Bulletin Board of Votes
- Cryptographic voting protocols revolve around a
central, digital bulletin board. - All messages posted to the bulletin board are
authenticated. - Any data written to the bulletin board cannot be
erased or tampered with. - Can be attacked by DDoS but there are known
solutions. - Name and ID of voters are posted in
plaintext?eligibilty - Voters nameencrypt(voters ballot) posted?no
observer can tell what the voter chose.
16Casting and Tallying Processes
- Casting process let Alice prepare her encrypted
vote and cast it to the bulletin board. - Tally process aggregates the encrypted votes and
produce a decrypted tally, with proofs of
correctness of this process posted to the
bulletin board for all observers to see. - Classical voting scheme performs complete/blind
hand-off (drop in a box). - Here cryptographic voting performs a controlled
hand-off - Individual can trace votes entry into the
system. - Any observer can verify the processing of these
encrypted votes into an aggregated, decrypted
tally.
17Cryptographic Voting
18Secret Voter Receipt
- To avoid vote selling/coercing, all current
cryptographic voting schemes require that voters
physically appear at a private, controlled
polling location it is the only known way to
establish a truly private interaction that
prevents voter coercion.
Zero KnowledgeProofNeffs MarkPlege
19Tallying the Ballots
- The secret key for decryption is shared among a
number of election officials. - Two major techniques
- Homomorphic encryption aggregation under the
covers of encryption only aggregate tally needs
decryption. - Digital version of shaking the ballot box
shuffled/scrambled multiple times by multiple
parties, dissociated from voter ID, then decrypted
20Randomize Threshold Public-Key Encryption
- All cryptographic voting systems use randomized
threshold public-key encryption. - The public-key property ensures that anyone can
encrypt using a public key. The
threshold-decryption property ensures that only a
quorum of the trustees (more than the
threshold), each with his own share of the
secret key, can decrypt. ? Shamirs how to share
a secret. - In addition, using randomized encryption, a
single plaintext, e.g. Blue, can be encrypted in
many possible ways, depending on the choice of a
randomization value selected at encryption time.
? avoid cipher attack
21Tallying under the Covers of Encryption
- Using a special form of randomized public-key
encryption called homomorphic public-key
encryption, it is possible to combine two
encryptions into a third encryption of a value
related to the original two, i.e. the sum. - For example, using only the public key, it is
possible to take an encryption of x and an
encryption of y and obtain an encryption of x
y, all without ever learning x or y or x y. - First proposed by Benaloh, vote are encrypted
either 0 (Blue) or 1 (Red) - In addition, a zero-knowledge proof is typically
required for each submitted vote, in order to
ensure that each vote is truly the encryption of
0 or 1, and not, for example, 1000. Otherwise, a
malicious voter could easily throw off the count
by a large amount with a single ballot.
22Homomorphic public-key encryption
- The entire homomorphic operation is publicly
verifiable by any observer, who can simply
re-compute it on his own using only the public
key. - Unfortunately, homomorphic voting does not
support write-in votes well the encrypted
homomorphic counters must be assigned to
candidates before the election begins.
23Shaking the Virtual Ballot Box
- A different form of tallying is achievable using
a mixnet, as first described by Chaum 39 - In a mixnet, a sequence of mix servers, each one
usually operated by a different political party,
takes all encrypted votes on the bulletin board,
shuffles and rerandomizes them according to an
order and a set of randomization values kept
secret, and posts the resulting set of
ciphertexts back to the bulletin board. - The next mix server then performs a similar
operation, and so on until the last mix server. - Then, all trustees cooperate to decrypt the
individual resulting encryptions, which have, by
now, been dissociated from their corresponding
voter identity. - Each mix server must provide a zero-knowledge
proof that it performed correct mixing, never
removing, introducing, or changing the underlying
votes.
24Mixnet vs. Homomorphic
- Mixnet is more difficult to operate? the
re-encryption and shuffle processes must be
executed on a trusted computing base, keeping the
details of the shuffle secret from all others. - Two important advantages of Mixnet
- the complete set of ballots is preserved for
election auditing - free-form ballots, including write-ins, are
supported.