Electronic VoteVerification Receipts

1
Electronic Vote-Verification Receipts

• Rahul Simha, Poorvi Vora
• Department of Computer Science
• The George Washington University

2
The Context

• New voter-verifiable schemes
• Punchscan
• Prêt-à-Voter
• ThreeBallot etc.
• require that
• the voter leave the voting booth with a paper
  receipt
• verify later that it is correctly included in the
  virtual ballot box

3
The Problems

• Requires
• voter follow-up
• comparison of a paper receipt with an electronic
  version
• Different from existing process, hence
  acceptability issues
• Requires a polling-machine-independent digital
  signature verification at polling site
• Limits access for those who are blind or cannot
  mark on paper, who, rightly, prefer
  non-verifiable DREs to this approach

4
Proposed Solutions

• Voter gives receipt to independent verifying
  entity at polling site, such as
• human rights organization
• candidate representative
• local voting organization (League of Women Voters
  in US)
• These entities may
• check digital signature
• keep receipt for later verification
• both of above

5
Electronic Receipt?

• Why Not
• electronic receipt
• sent to an entity of the voters choice
• from the polling booth
• Because
• voter cannot know if it got to the chosen entity,
  correctly
• Because
• voter cannot check digital signatures without
  trusting polling machine

6
The Tool
7
Human-verifiable digital signature

• What if
• the voter sends the electronic receipt to a
  verifier of her choice
• the receipt is returned, signed using a keyed
  human-verifiable digital signature
• The voter does not need access to trusted
  computational power to check the signature
• An anonymous reviewer at WOTE 2007 correctly
  termed our approach as using human-verifiable
  digital signatures

8
A human-verifiable digital signaturerequires
sense of sight

• Key A font, or presentation format for text.
  Assume available to entity checking signature

9
Human verifiability requires sense of sight

• Given one message m signed with key k, and
  another message m signed with key k, human can
  read both messages, and tell if k k

k ? k
k k
10
Hard problem requires sense of sight

• Forgery present message m in font given message
  m in font
• Can be solved with enough time and data, but for
  our purposes, short-lived security is enough

11
A human-verifiable digital signaturerequires
sense of hearing

• Key A voice, or tune, or intonation style
• Given one message m signed with key k, and
  another message m signed with key k, human can
  tell if k k
• Hard problem Forgery present message m in
  voice given message m in voice

12
A Solution
13
Audio Punchscan audio receipts(with Chaum,
Hosp, Popoveniuc)

• Tape reads layers
• Obama A, Clinton B
• B Left, A Right
• Voter reads choice into digital recorder
• Right if top layer
• A if bottom layer
• All receipts available in audio and visual forms

14
Electronic Receipt Hand-off

• Voter
• approves vote and receipt choice chooses
  verifier
• Polling Machine
• sends electronic receipt to verifier, signed
  classically
• Verifier
• checks classical signature
• keeps receipt for later verification for presence
  in virtual ballot box.
• returns human-verifiably signed receipt
• classically signs transaction
• PM
• checks classical signature
• Voter
• checks human-verifiable signature.
• Can add salt, timeliness, challenge/response

15
Key Establishment

• Voters pick up tickets before entering booth
• each ticket is a signed version of a unique
  random number v, which is also the index
  identifying the key to the signer, who has
  several keys
• tickets can be audio clips

16
Signed Receipt

• Receipt is returned in format identified by
  signer by number v

Punchscan Receipt
Signed Punchscan Receipt
17
Resolution of Disagreements

• If voter thinks signed receipt is not hers in the
  format on her ticket
• resolve with human poll worker
• culprit can be determined by checking classical
  digital signatures
• If verifier finds receipt is missing
• check digital signatures
• Verifier can hold up protocol by sending false
  signed receipts
• like voters manufacturing false paper receipts,
  but with the power to disrupt the polls

18
We examined enhancements of

• Punchscan
• ThreeBallot
• Are able to preserve privacy and integrity
  properties of Punchscan if human-verifiable
  digital signature is secure
• Not able to preserve those of ThreeBallot unless
  make stronger assumptions

19
Related Work

• Captchas
• For our application, font needs to be secret
• For CAPTCHAs, 54117832 text needs to be secret
• We later got to know of similar work
• Fischer and Herfet. Visual CAPTCHAs for Document
  authentication, MMSP, 2006 (Different
  application, no formalization)
• King, dos Santos and Xuan. KHAP Using keyed hard
  AI problems to secure human interfaces. Scientia,
  2004 (some formalization, applied very
  differently to voting)

20
Formal statements
21
Notation

• R set of all possible receipts (sent to the
  verifier)
• r ? R a single receipt.
• F set of all possible formats (keys)
  (fonts/tones/voices etc.)
• f ? F a single key
• ?(r, f) ? I the set of all signed receipts
  (returned by the verifier)
• ? potential human-verifiable digital signature

22
NotationHuman Verifiability

• H(a, b) yes
• a, b ? I seen to be signed with same key
• Hr(a) human reading of message in signed
  message a ? I

23
NotationClassical Digital Signatures

• Sign(m, k) is the classical digital signature
  using public key k
• SignVerify(m, s, k) is the verification of
  classical digital signature s on message m using
  public key k
• Polling Machine (PM) public key kp
• Verifier public key kV

24
Protocol Punchscan/Prêt-à-Voter

• Voter picks up a ticket t
• H(t) v.
• Voter votes. Sends receipt (layer) r, with v, to
  PM
• PM sends to Verifier (r v m1 Sign(r v, kP))
• If SignVerify(r v m1, kP) yes,
• Verifier sends back (p, m2Sign(p, kV))
• where p ?(r, f) and t ?(v, f)
• If SignVerify(p, m2, kV) yes PM sends p to
  Voter
• If H(p, t) yes and Hr(p) r Voter accepts

25
Definitions

• Definition 1 Human-verifiability
• is human-verifiable iff,
• v, r ? R
• ? f, f' ? F
• H(?(r, f ) , ?(v, f ) ) yes ? f f
• Hr(?(r, f ) ) r.

26
Definitions

• Definition 2 Security Break
• A program A breaks the security of mapping ? if,
• given
• r1, r2, , rn ? R
• f1, f2, , fn ? F fn ? f1, f2, , fn-1
• ?(r1, f1), ?(r2, f2), ?(rn, fn)
• for some n ltlt R ? F
• it produces x such that
• H(?(rn, fn), x) yes
• Hr(x) ? rn,

27
Assumptions

• Assumption 1 Human Verifiability
• ? is human-verifiable.
• Assumption 2 Security
• In the absence of a real-time solution to an
  unsolved AI problem, a human and a computer
  together cannot break the security of ? in real
  time.
• Assumption 3 One Use Tickets
• Each font is used at most once.

28
Claims

• Property 1 Secure Delivery
• If
• Assumptions 1, 2 and 3 hold
• R is large enough,
• H(p, t) yes and Hr(p) r
• a real-time solution to the hard AI problem is
  not obtained
• Voter is assured that her receipt r has reached
  Verifier

29
Claims - II

• Property 2 NONREPUDIATION
• If the classical digital signature scheme used is
  secure, the verifier cannot later deny that it
  sent a composite image that it did send.
• Property 3 INTEGRITY, C-PUNCHSCAN
• C-Punchscan provides at least as much integrity
  as Punchscan if assumptions 1-3 holds and
  verifiers are honest

30
Claims - III

• Property 4 PRIVACY, C-PUNCHSCAN
• If Punchscan receipts reveal no information about
  the vote, the addition of electronic receipts
  does not reveal information connecting a voter to
  a vote, unless it is revealed through the
  physical voting process or the voting machine.

31
Questions

• What are the types of fonts/formats/voices that
  can be used?
• How quickly can they be broken?
• What kinds of challenge/response/timeliness/salt
  can be used effectively?
• How easy/difficult will this be for humans to
  use?

32
Extras
33
Vote Casting (contd.)

• For ThreeBallot
• Cannot reveal receipt choice, hence all three
  receipts must be sent to verifiers
• To retain coercion resistance, voter cannot
  choose verifiers
• Need check machine chose verifiers at random
• Machine can collaborate with a single verifier to
  change vote

34
ThreeBallot ticket
Ticket Your candidate outdoor picture