34 views

Uploaded by api-19826928

save

- book
- QC Final Report
- What is Steganography
- Course_Descriptions.pdf
- Essential Matters
- IJ0230052
- e-Voting Application using Internal Vtoken
- SS-2 Final
- CURRICULUM OF COMPUTER SCIENCE.doc
- FRAMEWORK FOR WIRELESS NETWORK SECURITY USING QUANTUM CRYPTOGRAPHY
- o 0211122128
- Vijjay Kumar d Ver 1.1
- Survey on Scalable load balancing and Data security in Cloud IaaS servers
- Security- lecture 01
- Network Security Using Image Processing (1)
- Encryption Of Data Using Elliptic Curve Over Finite Fields
- Crytology_Arabs_Submit_final
- Signcryption
- Church of Wifi WPA-PSK Rainbow Tables
- Encrypted Sms in Health Care
- Topic 6 Online Security
- Security Challenges, Issues and Their
- Proposed Generalization, Suppression, Heuristic, Encryption Privacy Protection Module to Access Sensitive Information in Relational Database (Review Paper)
- Fortigate Sslvpn 40 Mr2
- tijun10
- redacted cryptography term paper
- BeepBeep Embedded Real Time Encryption
- 12.589245
- Abstract
- D-47-458-468.pdf
- Yes Please
- The Unwinding: An Inner History of the New America
- Sapiens: A Brief History of Humankind
- The Innovators: How a Group of Hackers, Geniuses, and Geeks Created the Digital Revolution
- Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic Future
- Dispatches from Pluto: Lost and Found in the Mississippi Delta
- Devil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New America
- John Adams
- The Prize: The Epic Quest for Oil, Money & Power
- The Emperor of All Maladies: A Biography of Cancer
- Grand Pursuit: The Story of Economic Genius
- This Changes Everything: Capitalism vs. The Climate
- A Heartbreaking Work Of Staggering Genius: A Memoir Based on a True Story
- The New Confessions of an Economic Hit Man
- Team of Rivals: The Political Genius of Abraham Lincoln
- The Hard Thing About Hard Things: Building a Business When There Are No Easy Answers
- Smart People Should Build Things: How to Restore Our Culture of Achievement, Build a Path for Entrepreneurs, and Create New Jobs in America
- Rise of ISIS: A Threat We Can't Ignore
- The World Is Flat 3.0: A Brief History of the Twenty-first Century
- Bad Feminist: Essays
- Angela's Ashes: A Memoir
- Steve Jobs
- How To Win Friends and Influence People
- The Sympathizer: A Novel (Pulitzer Prize for Fiction)
- Extremely Loud and Incredibly Close: A Novel
- Leaving Berlin: A Novel
- The Silver Linings Playbook: A Novel
- The Light Between Oceans: A Novel
- The Incarnations: A Novel
- You Too Can Have a Body Like Mine: A Novel
- The Love Affairs of Nathaniel P.: A Novel
- Life of Pi
- Brooklyn: A Novel
- The Flamethrowers: A Novel
- The First Bad Man: A Novel
- We Are Not Ourselves: A Novel
- The Blazing World: A Novel
- The Rosie Project: A Novel
- The Master
- Bel Canto
- A Man Called Ove: A Novel
- The Kitchen House: A Novel
- Beautiful Ruins: A Novel
- Interpreter of Maladies
- The Wallcreeper
- The Art of Racing in the Rain: A Novel
- Wolf Hall: A Novel
- The Cider House Rules
- A Prayer for Owen Meany: A Novel
- My Sister's Keeper: A Novel
- Lovers at the Chameleon Club, Paris 1932: A Novel
- The Bonfire of the Vanities: A Novel
- The Perks of Being a Wallflower

You are on page 1of 18

Election Verification

Abstract—Cryptographic (or end-to-end) election verification convinced that their vote was counted without being able to

is a promising approach to providing transparent elections in reveal to anyone how they voted.

an age of electronic voting technology. However it is unrealistic

to expect voters, who do not have specialist knowledge in Over two decades after the seminal groundwork was laid by

cryptography or software development, to be able to conduct an Chaum [12], Benaloh [6] and others, cryptographic election

end-to-end audit. In an effort to reduce the technical complexity verification has been used in real elections with binding

of performing these audits, we present Eperio: a new, provably results. An early Internet voting system to use cryptographic

secure construction for providing a tally that can be efficiently verification was RIES, used in a parliamentary election for

verified using only a small set of primitives. We suggest how

common-place utilities, like the use of file encryption, can further about 70,000 absentee ballots in 2004 in the Netherlands [24].

simplify the verification process for the voter. Using Python, In 2007, a university election in Canada used the optical-scan

verification code can be expressed in 50 lines of code. As system Punchscan for 154 voters [20]. In 2009, the Internet

an interesting alternative, we outline how verification can be system Helios was used in a university election in Belgium

completed manually using built-in functions in a spreadsheet. for 5142 registered voters [2], and in a university election in

Compared to other proposed proof-verification methods for end-

to-end election audits, Eperio lowers the requirements in terms the United States for 567 voters.1 In 2009, the optical scan

of lines of code, execution time, and cryptographic primitives. system Scantegrity was used in a municipal election in the

United States for 1722 voters.2

Case studies based on these elections have suggested that

I. I NTRODUCTION

about 30–40% of voters checked that election data posted to

Electronic vote-casting methods have become increasingly a website matches the information on their privacy-preserving

prominent. By 2006, less than 1% of the Unites States vote receipts [2], [20]. However there is a second step to ver-

voting-age population still voted by paper ballot, with over ifying a cryptographic election—checking the cryptographic

88% voting either by optical-scan, or some other electronic proof of robustness—and it is difficult to determine how many

interface [19]. However, software execution is not inherently voters or auditors are doing this. Very little data is available,

observable, which has generated widespread concern over but our expectation is few do. Cryptographic audits can be far

its use in elections. Furthermore, beginning in 2004 with more involved than what the average voter might be prepared

Kohno et al. [29], independent reviews have continued to to engage in. The recent municipal election in the United

uncover serious security vulnerabilities in widely-used com- States provides a good example: the two independent auditors

mercial systems; vulnerabilities that allow, among other things, of that election each wrote several hundred lines of software

undetectable tally manipulation if an attacker gains access to code to pore over the two and a half gigabytes of cryptographic

the system under reasonable threat scenarios. Recent studies audit data.3

have examined systems by ES&S [5], Premier/Diebold [10], Notwithstanding software development being a reasonably

[11], Sequoia [4], [9], and Hart-InterCivic [10], [25]. widespread (and growing) skill, there is another obstacle:

In response, a return to hand-counted paper ballots has been cryptography. Many systems in the literature employ advanced

suggested, however tallying by hand can be time-consuming cryptographic primitives and techniques not typically found in

for the long, multi-contest ballots common in many US standard software libraries. This typically results in the crypt-

precincts, in particular, for contests using bloc voting or ographic software components being custom coded, which is

instant run-off voting. Furthermore, while offering greater well known to software developers as being easy to botch.

transparency than electronic voting, full confidence in an Beyond these technical questions lies another question for

election result would require observing the process end-to- security researchers to consider: is the verification protocol

end, which is a large time-commitment, extends to only a secure and convincing? Replicating a verification process is

single polling place, and is nullified if the ballots are recounted different than understanding why the verification actually

at a later date. Instead we seek a solution that offers full proves what it claims.

confidence for all precincts and whose audit can be conducted

A consensus is emerging among some researchers and

at any convenient time after the election using commonplace

election officials that conceptual simplification of the overall

computer software.

process will be important to the future of cryptographic elec-

Our solution rests in cryptographic election verification,

which allows voters, and other public organizations, to au-

1 Election website: http://princeton-helios.appspot.com

dit election results through the addition of three specialized

2 Election website: http://www.takomaparkmd.gov/clerk/election/2009/

components in the election process: an enhanced ballot, a 3 Software and audit results by Ben Adida and Filip Zagorski

privacy-preserving vote receipt, and a cryptographic proof available online at http://github.com/benadida/scantegrity-audit/ and

of robustness. Through these components, a voter can be http://zagorski.im.pwr.wroc.pl/scantegrity/

tion verification.4 This trend is reflected in a recent German (1) Voter verifiable robustness: a proof, or strong evidence,

Federal Constitutional Court decision which states that if is made available to any voter that his/her voting intent

verification of a tally requires “specialist knowledge,” it is is included, unmodified, in the election outcome, and

unconstitutional [21]. simultaneously,

In this paper we consider ways to make cryptographic elec- (2) Ballot secrecy: an anonymous association between a

tion verification easier to conduct and comprehend. Although voter and his/her voting intent is maintained.

fundamentally we do not attempt to eliminate the require- Either of these properties, but not both, can be achieved

ment of specialist knowledge needed to verify an election unconditionally. Everlasting privacy implies that the crypto-

(cryptography and formal proofs of security inherently are a graphic transcript created during the course of an E2E election

form of specialist knowledge), we propose novel approaches does not uniquely encode which candidate was voted for on

to reducing specialist knowledge. We approach the design of a given receipt and in theory could be any of the candidate.

simpler cryptographic election verification protocols in two In this case, even a computationally unbounded citizen can-

related settings: not discover how anyone voted, however a computationally

• Less specialized cryptographic primitives: the desired unbounded election authority could change votes without

protocol should be secure under standard computational detection. Conversely, unconditional integrity guarantees that

assumptions, while using cryptographic primitives that the transcript uniquely encodes each vote. This means that

could be considered familiar to a general (non-specialist) probability of detecting a cheating election authority is invari-

audience. ant to its computation power, however ballot secrecy is lost if

• Reduced reliance on custom software implementa- a citizen is computationally unbounded. While we expect that

tions: the software components of the verification inter- both parties are computationally bounded, offering uncondi-

face of the desired protocol could be implemented, wher- tional security in one regard can eliminate assumptions.

ever possible, using either existing software components, Arguments in favor of everlasting privacy note that robust-

or small custom open-source code bases. ness only needs to be maintained for the period of the election,

while ballot secrecy needs to remain secure against the com-

Contributions putational powers of future generations. In the least, secrecy

should be post-quantum. On the other hand, the amount of

The contributions of this paper include: (i) a classification

true randomness needed to truly achieve everlasting privacy is

for levels of election verification, (ii) the Eperio election

inhibiting, especially if secrets are threshold-shared among a

verification protocol and a proof of its security, (iii) a proposal

set of election trustees. Furthermore, everlasting privacy offers

for implementing cryptographic commitments with existing

no protection against election trustees colluding or revealing

file encryption programs, and (iv) several implementations of

their shares. Eperio can achieve either but we devote most of

the verification protocol. Our implementations include a 50-

our explanation to the variant with unconditional integrity.

line Python script that can audit a 5000 ballot, 12 candidate

election in 9.3 seconds, a set of macros for completing Property 2, ballot secrecy, has been formalized in a variety

verification in a spreadsheet, and a set of steps for manually of ways. Benaloh and Tuinstral define receipt-freeness as the

verifying the election using only the built-in functions of a property that a voter is not able to provide useful information

spreadsheet. The implementations are not mutually exclusive, about their vote after it is cast [8]. This definition is strength-

allowing voters to choose an approach they are comfortable ened by Moran and Naor to account for an adversary that

with. interacts with the voter before and after casting [30]. A even

stronger notion, coercion resistance, is possible to achieve in

remote and Internet voting settings [27].

II. S ECURITY M ODEL

With regards to Property 1, a prevalent model for E2E voter

In this section, we discuss the properties of end-to-end verifiable robustness is to ensure three sequential properties:

cryptographic verification. We then focus on the user interface

(1a) Marked-as-Intended: an auditor can verify that if a

of the verification protocol, with particular attention to its

voter were to attempt to obfuscate their vote, it would

requirements and security properties. We then briefly discuss

be obfuscated correctly,

a number of assumptions we make regarding the voter and

(1b) Collected-as-Marked: a voter can verify that the ob-

trustee interfaces, and outline a number of threats to be

fuscation of their vote is included in a collection of

mitigated by the Eperio verification protocol.

obfuscated votes, and,

(1c) Counted-as-Collected: an auditor can verify that the

End-to-End Verifiability collection of obfuscated votes is properly deobfuscated,

In order to describe cryptographic election audits, the United producing a self-consistent and correct tally.

States Election Assistance Commission has introduced the The composition of these properties results in the voter’s

term end-to-end (E2E) verification [40]. We consider E2E preference being counted-as-intended (i.e., verifiable from end

verification to be the conjunction of two properties: to end). These properties are realized by three interfaces. A

4 See for example talks by Epestein, Gilbert, Jones, Sergeant, Volkamer, and

voting interface is used by voters on election day to create

Wallach at the NIST Workshop on End-to-End Voting Systems, Washington obfuscations of their votes. A trustee interface is used by a set

D.C., 2009. Program available: http://csrc.nist.gov/groups/ST/e2evoting/ of election trustees to generate the ballots prior to the election,

called the bulletin board. A robustness proof is generated

from the transcript and receipts by a set of election trustees.

The standard approach to verifying the election is through

three distinct audits, one for each of the previously mentioned

robustness properties (1a,1b, and 1c):

• Receipt Check: Property (1b) is verified by checking

that a privacy-preserving encryption (or obfuscation) of a

vote is present on the bulletin board. A standard method

involves granting the voter with a paper (or electronic)

Fig. 1. Eperio election verification architecture showing entities, interfaces, receipt of this encryption at the time the ballot is cast.

interactions (black arrows) and data flow (grey arrows). Auxiliary inputs (e.g., The voter may later use this receipt to consult the bulletin

audit challenges) are omitted for brevity. Voters are assumed to have been

already registered/authenticated by a separate process. board to ensure it is present and unmodified,

• Print Audit: Property (1a) is verified by checking that

ballots are being presented honestly. That is, a proof that a

collect the obfuscated votes after the election, and generate a mark made for a particular candidate will in fact translate

provably correct tally after the election. Finally, a verification into an obfuscated vote for that candidate. A standard

interface is used by voters and verifiers to check that the proofs method involves granting the voter the option to audit a

are correct. These interactions and interfaces are illustrated in ballot instead of voting on it. The digital representation of

Figure 1. Eperio is not an entire E2E system, just a trustee an audited ballot will be de-anonymized so that it can be

and verification interface that can interact with many of the compared to what was printed (or presented electronically

voting interfaces in the literature. to the voter),

• Tally Audit: Property (1c) is verified by checking a

cryptographic proof of self-consistency of the bulletin

Voting Interface

board. A standard method involves proving a privacy-

Although the voting interface is not part of Eperio, it will preserving mapping from the list of receipts to the

facilitate discussion of Eperio to discuss various means by election outcome.

which a voter can mark a ballot and construct a receipt. The

literature proposes four main methods for obfuscating a ballot

to create an E2E ballot receipt: encrypting a reference to the Grades of Verifier

candidate and retaining only the ciphertext (e.g., [1]), applying

A prevailing view of end-to-end verification is one in which

a randomized permutation to a canonical list of candidates

two categories of verifier exist: voters whose responsibility

and retaining only the position marked (e.g., [15]), substituting

it is to perform the receipt check of their own ballot in a

a randomized code for each candidate and retaining just the

particular election, and security researchers whose job it is to

code (e.g., [14]), and splitting the vote into randomized partial

be responsible for all else. However because of the importance

shares and retaining only one of the shares (e.g., [35]). The

of election verification and the diversity of a real-world

voting interface typically consists of a combination of an ob-

population, E2E audits should ideally accommodate a range of

fuscation technique with a conventional intent capture/storage

skill, knowledge and interest. We consider it useful therefore

mechanism. For example, permutation and code obfuscations

to classify cryptographic verification as a set of grades, each

have often been proposed in combination with optical scan

with its own responsibilities, participatory requirements, and

paper ballots, while encryption has often been proposed in

trust requirements:

conjunction with touch-screen and internet voting interfaces.

The Eperio protocol works directly with most of the permu- Voter

tation and code-based obfuscation techniques in the literature. • Primary responsibility: Substantiate their contribution

For illustrative purposes, we will present how Eperio would to a specific election using the E2E protocol and their

work with a paper ballot system similar to the Prêt à Voter audit data,

system [15]. The list of candidates is independently shuffled • Technical requirements: Be able to perform the receipt

on each ballot. The voter finds their preferred candidate and check of their own ballot and interpret the outcome,

marks the associated position. The voter then tears off just the • Knowledge requirements: Understand the concept of

marks (a figure in the next section, Figure 2, illustrates this), E2E verification at a high level as well as the general

which is scanned and then retained as a receipt. The candidate purpose of each property,

list is shredded by the voter before leaving the polling place. • Trust requirements: Trust someone to verify (1a) and

We refer to each position (bubble) on the ballot that can be (1c) on their behalf, and trust someone to formally

marked as a unique markable region (UMR). analyze the security of the protocol.

Election Data Auditor

Verification Interface • Primary responsibility: Substantiate the outcome of a

A transcript of certain election events and the scanned specific election using the E2E protocol and public audit

receipts are published on an append-only broadcast channel data,

• Technical requirements: Be able to perform each of the Since we are not innovating on the voting interface level, we

audits either by using existing verification software or assume the existence of a voting interface that can interface

writing it themselves, and interpret the outcome, with Eperio and is secure against the following two threats:

• Knowledge requirements: Understand the details of • Coercion. An active adversary may attack the voting

each audit. Understand at a high level why the protocol interface, attempting to coerce a voter into voting in a

works, particular way and producing evidence of compliance.

• Trust requirements: If using existing verification soft- • Repudiation. An active adversary may attack the voting

ware, trust its correctness (or review the source code). interface, attempting to discredit the validity of the elec-

Trust someone to formally analyze the security of the tion proof by submitting a false (i.e., spurious) dispute of

protocol. the results of any of the proofs.

Protocol Analyst

• Primary responsibility: Substantiate the security prop-

III. P ROTOCOL D ESCRIPTION

erties of the E2E protocol in general, A. Overview

• Technical requirements: Same as election data auditor, As a very quick overview, a set of trustees will jointly

• Knowledge requirements: Decide at a formal level generate a table with three columns. The first will reference

whether the protocol is complete, sound and secret, each unique markable region on each ballot in the election,

• Trust requirements: None. the second will indicate whether this region was marked or

In this paper, we target the second class: Election Data unmarked (or marked for an audit), and the third column will

Auditors. This may encompass software/security enthusiasts, contain the candidate associated with that markable region.

democracy advocacy groups, third party consultants, and po- This table is then randomly shuffled. It is easy to see that

litical campaigns. For the purposes of this paper, we present if the first two columns are revealed, the information should

Eperio as an attempt to simplify the technical and knowledge correspond to the set of all of the receipts in the election.

requirements for Election Data Auditors, and make this class If the last two columns are revealed, the information should

of verification more accessible to individuals who would correspond to the final tally. If all three are revealed (or

otherwise be confined to the Voter level. the contents of an unrevealed column are implied through

some function dependency), then ballot secrecy is breeched.

The Eperio protocol proves the correct formation of all three

Trustee Interface columns by only revealing the information implied in two of

Election trustees construct the cryptographic proofs of in- the three columns. It uses a composition of cut-and-choose

tegrity using private function evaluation, where no trustee is and random audit techniques inspired by randomized partial

permitted to learn more from the public outputs than what they checking [26].

can learn from their own private input. We do not assume that

the function is evaluated correctly (this will be established with B. Entities

a proof), only that intermediate values are unobservable. We

The Eperio protocol relies on the following entities, which

refer to this as a blackbox computation. It can be accomplished

are standard in most E2E voting systems:5

with a distributed multi-party computation or special hardware.

• A set of n election trustees (or the prover), P, tasked

In Section V, we suggest a deployment option that has been

used in actual cryptographic elections based on trustworthy with generating a verifiable tally. P is assumed to be

computing, but for now leave it as an assumption. We also a set of mutually distrustful and non-collusive trustees.

note that assuming integrity but not privacy, the counterfactual, However the protocol can tolerate t ≤ n−1 2 trustees who

is also common in the broader cryptographic literature; e.g., collude or refuse to participate.

• The set of authenticated voters who cast ballots in the

honest-but-curious adversaries and tamper-proof hardware

[28], [31]. election.

• The first set of verifiers, V1 , who verify that their receipts

were collected correctly (Property 1b). V1 are either

Threat Model voters, or auditors that were given access to a copy of

In general we will require an end-to-end election verification a voter’s receipt.

• The second set of verifiers, V2 , who verify that the ballots

protocol to be secure against two principal threats:

are printed correctly (1a). V2 are either voters or auditors

• Manipulation. An active adversary may attack the ad-

who went in person to obtain a ballot to audit.

ministrative interface, attempting to present a false elec- • The third set of verifiers, V3 , who verify that the tally

tion outcome by corrupting software components, data, is computed correctly from the collected receipts (1c).

or a tolerable threshold of election officials. V3 can include anyone in any location with access to the

• Identification. A passive adversary may attack the ver-

election data.

ification interface, attempting to use data on the public 0

• A malicious adversarial prover, P , who will attempt to

bulletin board (which persists indefinitely) to recover the convince the verifiers that an incorrect tally is correct.

unique associations between ballot receipts and individual

votes. 5 Here we categorize verifiers by task, not by grade as in Section II.

• A malicious adversarial verifier, V 0 , who will attempt

to break voter privacy and determine which candidate

was selected on a given receipt (or any non-negligible

information about this selection).

C. Functions

The Eperio protocol requires a set of standard functions

from the cryptographic literature: a threshold key agreement

modeled after the one due to Pedersen [33], a cryptographi-

cally secure pseudorandom number generator (PRNG), a per-

fect shuffle algorithm, a message commitment scheme (either Fig. 2. Left: E2E-enabled optical scan ballots. Each ballot consists of a

unique serial number, a candidate list printed in an independent random order,

perfectly binding or perfectly hiding), and a public coin (or and a perforation between the optical scan ovals and the candidate list. Upon

random beacon) to generate non-interactive challenges. marking the ballot, the candidate list is detached and shredded. The remaining

1) Distributed Key Generation/Reconstruction: piece is scanned and granted as a receipt. Because the candidate orderings are

independent across ballots, knowing the mark position alone does not reveal

◦ (y1 , . . . , yn , κ) ← DKG(n, t, l, f1 , . . . , fn ) how a voter voted. Right: Eperio table. Each optical scan oval (referenced by

◦ κ ← KeyRec(y1 , . . . , yt+1 ) a serial number and absolute position), its mark-state (marked or unmarked)

and the corresponding candidate name are recorded in a randomly assigned

DKG accepts from each of the n trustees a polynomial row.

of degree t, fi , with coefficients of bit-length l. The

coefficients are summed together, mod 2l , to produce a

new polynomial fˆ. Each trustee i receives yi = fˆ(i) as D. Lists and Tables

their share and the value κ = fˆ(0) forms a shared secret The Eperio protocol relies on a particular data structure,

of bit-length l. t should be set such that n ≥ 2t + 1. called the Eperio table, which is constructed from a set

KeyRec accepts at least t + 1 shares, y1 , . . . , yt+1 , from of private inputs by the trustees. To facilitate clarity, we

a subset of the trustees and outputs the shared secret κ. also denote some intermediate lists and tables used in its

2) Pseudorandom Number Generation: construction. The Eperio table is a novel data structure and

◦ {0, 1}l ← PRNG(κ, l) the primary contribution of this paper. It is shown in Figure 2

PRNG is a stateful function which takes as input the with a permutation-style ballot, which we use to illustrate the

shared secret, κ, as a seed and returns l new pseudo- protocol.

random bits each time it is invoked. For simplicity, we The following lists are public inputs to the system decided

omit l if the size of the output is clear from the context. on prior to the election.

3) Permutation: UMR List: U is the list of each unique markable

◦ π(Wi ) ← Permute(w1 , . . . , wu , Π) region (UMR) for the s candidates on each of

◦ π(Wi ) ← PermuteBlock(w1 , . . . , wu , s, Π) the b ballots. Elements are encoded as a ballot

Permute accepts a list Wi of u elements and a number, serial number and a position, and are listed in

Π = O(u log(u)), of random bits sufficient to per- ascending order. The length of the list is u = s·b.

fectly shuffle the list.6 PermuteBlock splits up the list Candidate Roster: S is the set of selections or

w1 , . . . , wl into blocks of s elements and permutes each candidates to appear on the ballot, for each

block independently. contest. Elements are encoded as a character

4) Commitment: string of arbitrary length. The size of the set is

◦ c ← Commit(m, r) s. Without loss of generality, we assume a single

◦ {0, 1} ← Decommit(c, r, m) contest.

Commit takes as input an arbitrary length message m These are used by the trustees, in conjunction with the

and a random factor r. It outputs a commitment to the functions defined above, to create the following private list.

message c. Decommit accepts values m, r, and c, and Candidate List: S ← U × S is the list of can-

outputs 1 iff c is a valid commitment to m and r. didates for each position on a ballot composed

Otherwise it outputs 0. by randomly selecting, without replacement per

5) Public Coin Toss: ballot, an element from S. It is ordered by U.

◦ {0, 1} ← PubCoin() The length of the list is u.

PubCoin returns a uniformly random bit. The output The marks list will denote the final status of a markable

should be unpredictable prior to being invoked and veri- region. It is empty prior to the election and is provided as a

fiable a posteriori. public input to the system after every ballot has been cast.

Marks List: M is the list of marks corresponding

6 Generating a random integer from random bits is non-deterministic when

to each markable region in U. Elements include

the integer is not a perfect power of 2. Perfect shuffling algorithms, like Fisher-

Yates, require random integers. An upper bound on the expected number of marked (1), unmarked (0), and print audited (-1).

bits is 2(log2 u!). The length of the list is u.

The concatenation of these three lists defines a table that ◦ P(:,2) ← M

collects all the private information of the election. ◦ P(:,3) ← S

Print Table: P is a table formed by joining U, M, Finally, x instances of P are generated and each shuffled

and S. The dimensions of the table are u × 3. row-wise. Each instance is stored in the Eperio table, E(i,j,k) .

A proof of election integrity subsumes a proof that the ◦ For i = 1 to u and k = 1 to x,

relations between each list in P is consistent with a universal ◦ ΠE ← PRNG(κ)

view of the election. Pairwise, a correct U-M relation implies

◦ E(i,:,k) ← Permute(P(i,:) , ΠE )

ballots were collected as marked (Property 1b from Section II),

a correct U-S relation implies ballots were printed correctly We define, for future use, the following function. It encap-

(1a), and a correct M-S relation implies the ballots were sulates all the steps in this ‘generate Eperio table’ section.

counted as collected (1c). Thus revealing P(i,j) for all i ◦ E ← GenE(κ)

and j is sufficient, under our assumptions, for independently 3) Generate Commitments: The trustees are now ready to

verifying the correctness of the tally. Unfortunately, it would commit to the data in E. For each instance 1 < k < x, they

also destroy the privacy preserving property of the ballot will commit to both the E(:,1,k) and E(:,3,k) columns. This

receipt—in conjunction with P, receipts would provide proof requires x × 2 commitments. The random factors for these

of which candidate was selected. commitments are stored in an x × 2 table R. The resulting

The Eperio table is a data structure that, with a set of commitment is stored in corresponding table C.

queries, can prove the correct formation of P while maintain- ◦ For i = 1 to 2, j = 2i − 1, and k = 1 to x,

ing the same level of privacy provided by only revealing the ◦ R(i,k) ← PRNG(κ)

list of receipts and the final tally. Specifically, it is a collection ◦ C(i,k) ← Commit(E(:,j,k) , R(i,k) )

of x instances of P that have been independently shuffled row-

◦ Publish C

wise. By revealing portions of and relations on this structure,

we will show that a complete and robust proof of integrity can Note that 2i − 1 is simply the mapping {1 → 1, 2 → 3},

be established with this minimal disclosure. used to denote that commitments to the first and third columns

of E are stored, respectively, in the first and second rows of

Eperio Table: E is a table formed by x instances

C. C is published to the bulletin board.

of P, each of them independently shuffled row-

4) Voting: Registered and authenticated voters are issued

wise. The dimensions of the table are u × 3 × x.

a paper ballot with a randomized candidate list according to

P. After marking the ballot, the candidate list is detached and

E. Protocol destroyed (e.g., placed in to a paper shredder). The remaining

We now outline the protocol for generating an Eperio table strip is scanned by an optical scanner and the strip is retained

and the various outputs required for proving it encodes a by the voter as a receipt. The optical scanners will record for

correct tally. The focus of this paper is on the protocol for each ballot which position was marked, as well as the ballots

verifying this proof, which is orthogonal to the issue of how that were print audited. After the election, these are placed into

the data is generated. However the security proof we provide the list M. Without knowing P(:,3) , this information does not

in the next section encompasses the generation of the data, and reveal which candidate was voted for and can be published.

so we give it consideration. The first three steps of the protocol ◦ Publish M

are conducted prior to the election: initial setup, generating the 5) Compute Tally: At least t + 1 trustees regenerate the

Eperio table, and generating the commitments to the Eperio election secret, and use it to regenerate the Eperio table, only

table. These steps are performed with a blackbox computation. this time with the completed marks list being shuffled along

1) Initial Setup: The setup assumes that a list of candidates, with the rest of the table.

S, is available as well as the number of ballots, b, to be used ◦ κ ← KeyRec(y1 , . . . , yt+1 )

in the election. The first task is for the trustees to generate an

◦ E ← GenE(κ)

election secret and receive shares of this secret.

For each instance x, they publish the corresponding marks

◦ (y1 , . . . , yn , κ) ← DKG(n, t, l, f1 , . . . , fn )

list. Each of these lists is a shuffled version of the original M.

2) Generate Eperio table: Next, the trustees generate the

◦ Publish: E(:,2,:)

Eperio table E. U is formed by listing the ballot and position

numbers in order. To form S, the candidate list is repeated b Finally, a tally is computed from any E(:,2,k) and E(:,3,k)

times and then randomly permuted on a ballot-by-ballot basis. pair of columns, and the list of totaled values for each

candidate, denoted τ , is published. This can be considered an

◦ ΠS ← PRNG(κ)

asserted tally, as the purpose of E2E verification is to prove

◦ Si ← PermuteBlock(Sb , s, ΠS ) that this tally is correct.

Table P is created by placing U, M, and S beside each 6) Generate the Linkage List: To ensure that the Eperio

other in columns. M is initially empty, but in future meetings table is consistent with what actually appears on the printed

will include the marks recorded during the election. P is used ballots in the election, verifiers have the ability to keep

to print the ballots. We use the symbol : to denote an entire an issued ballot for purposes of auditing its printing. If a

vector within a matrix. ballot where chosen to be print audited and the first position

◦ P(:,1) ← U contained candidate Bob, then a row corresponding to this

F. Verification

We now show the steps that the verifiers take to check that

the published data corresponds to a tally that is correct. Recall

there are three sets of audits (and corresponding verifiers).

The first set, V1 , are the voters who check their receipts (or

provide a copy to someone they delegate to check on their

behalf). If the receipt corresponds to ballot number b and

contains s positions that are either marked (1) or unmarked

(0), the auditor should check that the status of each position

i on the receipt matches the status recorded at Mj , where

j = s(b − 1) + i.

Fig. 3. Auditing Eperio table instances. Two example instances of the

Eperio table during auditing. Each instance contains the same information,

The second set of verifiers, V2 , should check the linkage

but is independently shuffled. Left: E(:,3,1) was challenged to be list against their print audited ballots. Let a = L(i,k) for an i

revealed, allowing verifiers to tally the election. Right: E(:,1,2) was on their ballot and an instance k. Depending on the random

challenged to be revealed allowing voters to check their receipts. Grey

represents cryptographic commitments that will remain unopened (to protect

coin for instance k, V2 should check that E(a,1,k) matches the

ballot secrecy). associated markable region on the ballot or E(a,3,k) matches

the associated candidate. They should do this for all i on their

print audited ballot and each k in the election.

markable region will exist in E at an unknown row. The row These two audits establish that the reported marks corre-

will be different for each instance. If the ballot is printed spond to what appeared on voter’s completed ballots and that

correctly, each corresponding row in each instance should what appears on the ballot corresponds to what is in the pre-

contain Bob in the third column. The print auditor would like committed Eperio table. The final step is to ensure that the

assurance of this fact. asserted tally corresponds to the marks. Recall that for each

However since commitments to only entire columns E(:,1,k) of the x instances, a random coin was flipped to reveal value

and E(:,3,k) exist, this fact cannot be directly revealed without z ∈r {0, 1}. The third set of verifiers, V3 , should do the

decommitting both columns for a given instance. Doing this following.

would reveal which candidate was selected for every receipt ◦ for k = 1 to x:

and cannot be pursued. Instead, the election trustees will indi- ◦ z ← Zk

rectly establish this fact. The trustees assert the row number, ◦ Check Decommit(C(z+1,k) , R(z+1,k) E(:,2z+1,k) )

a, in each instance corresponding to every audited markable

◦ If z = 0, Check {E(:,1,k) , E(:,2,k) } ∼

= {Ui , Mi }

region. Which markable regions are audited is contained in

the marks list, M, with -1 recorded for that entry. The list of ◦ If z = 1, Check {E(:,2,k) , E(:,3,k) } ∼

=τ

∼

Here = means that the two pairs of tables are isomorphic—

asserted row numbers is called the linkage list, L.

i.e., they are a permuted representation of the same informa-

◦ for i = 1 to u and k = 1 to x:

tion.

◦ if Mi = -1:

◦ Find: a s.t. E(a,1,k) = Ui IV. S ECURITY P ROOF

◦ L(i,k) ← a In this section, we prove that Eperio is complete, sound,

7) Audit Challenge and Response: After the tally has been and computationally secret. Given a transcript of the entire

posted, the trustees prove to an independent auditor that the protocol, the asserted tally can be either accepted or rejected.

tally was calculated correctly. They do this through a cut-and- If the asserted tally is correct, the decision will always be to

choose protocol. First the trustees regenerate the election secret accept (completeness). If the asserted tally is not correct, the

and the Eperio table. decision will be to reject with a high probability (soundness).

Finally, the outputs do not provide any information that can be

◦ κ ← KeyRec(y1 , . . . , yt+1 ) used by a computationally bounded adversary to determine any

◦ E ← GenE(κ) non-negligible information about which candidate was voted

Next, they invoke the public coin toss function to generate for by any voter (computational secrecy).

one flip for each of the x instances. To maintain consistency with the literature, we will denote

the trustees as the prover (P), who we initially consider un-

◦ for k = 1 to x: bounded in computation power. The three types of verifiers (V)

◦ z ← PubCoin() are considered to be bounded to probabilistic polynomial time

◦ Zk ← z (PPT). These bounds are used to demonstrate unconditional

integrity, and are latter reversed for a brief consideration of

◦ Publish: R(z+1,k)

everlasting privacy. Either entity may employ a malicious

◦ Publish: E(:,2z+1,k) strategy and we denote this with a prime (P 0 , V 0 ).

Depending on the flip, they either reveal the first two or last The Eperio verification protocol is challenge-response. The

two columns in each instance. This is illustrated in Figure 3. print audit uses an interactive challenge where verifiers choose

which ballots at random to check that the correspondence

between ballot positions and candidates is consistent with the

ACCEPTV (tr(P 0 ,V) (C, L, ρ, τ, E(:,2,:) , Rz )) ←

committed E table. The receipt check also uses an interactive

challenge where a random fraction of voters will choose to ACCEPTV1 (tr(P 0 ,V) (ρ)) ∩

check that the correspondence between ballot positions and ACCEPTV2 (tr(P 0 ,V) (C, L, Rz )) ∩

marks is consistent with the published marks E(:,2,:) . Finally ACCEPTV3 (tr(P 0 ,V) (C, ρ, τ, E(:,2,:) , Rz )). (1)

the tally audit uses a public coin challenge where the prover

is asked to reveal either E(:,1,x) or E(:,3,x) for a given x. We prove the soundness of the three right-hand decisions

Let Ω represent the description of an election; a mapping be- independently and then consider the implication of their

tween each ballot and the candidate who was voted. Consider conjunction. Since the proof protects against very strong

the pair hE, Ri, an Eperio table and the random factors used in adversaries, we also remark on what a real world adversary

committing to it. These two items are sufficient for generating may want to achieve as it relates to each proof.

all the other data structures needed in the verification protocol. a) Receipt Check: First consider the verification that the

Denote E as the set of all hE, Ri pairs that would correctly asserted receipts, ρ, match the physical receipts retained by

encode Ω, and Ē as the set of all other pairs. the voters: ACCEPTV1 (tr(P 0 ,V) (ρ)). This check does not prove

anything about the committed values directly, but is simply

designed to decide whether ρ alone is reputable. If it is,

A. Completeness this fact can be used to establish other facts more directly

An abbreviated transcript of the verification protocol fol- associated with the asserted tally τ .

lows: A malicious prover has a binary choice at this stage: to

P → V: C Commitment assert a correct value ρ or an incorrect ρ0 . If ρ0 is asserted, the

P ← V: M Challenge transcript’s acceptablity decreases in proportion to the number

P → V: ρ, L, E(:,2,:) , τ Response of voters verifying their receipts. Let b0r be the number of

P ← Coin: Z Challenge modified ballot receipts in ρ0 , and 0 ≤ p1 ≤ 1 represent

P → V: Rz Decommit the fraction of voters who conduct a receipt check. Further

Recall that τ represents the asserted tally and let ρ be the assume the distribution of b0r and the ballots associated with

asserted receipts. Assume E ∈ E for Ω. If P and V behave p1 are independent. In this case, the probability of rejecting

honestly and follow the protocol outlined in the previous an incorrect transcript is tightly approximated by:

section, then τ , ρ and L will also be consistent with Ω and the

three verifications performed by V will succeed with certainty. 0

It may be worthwhile to note that V’s acceptance is condi- Pr[REJECTP 0 ,V1 ] = (1 − (1 − p1 )br ). (2)

tional on many things beyond τ . If P were to commit to wrong In terms of real-world adversaries, this verification step is

values and reveal marks in the wrong position, but still report very important. A malicious set of trustees could use such an

the correct τ , the proof will be rejected. We do not classify attack to explicitly move votes from one candidate to another

this as a true negative error as we are determining whether the in ρ. This result can be generalized to any voting system where

proof is acceptable. voters check the inclusion of their obfuscated votes. Increasing

certainty in the tally proof can often be made exponential in

B. Soundness some chosen parameter (as we will show is the case with

Eperio), but this certainty will at some point overtake the

We now consider whether V will ever accept a proof when

certainty that the inputs are correct, which are fixed by p1

E ∈ Ē. If the probability of rejecting a false proof is much

and invariant to the security parameter of the system. Since

greater than 1/2, we say Eperio is sound. The soundness of

the soundness of the overall system rests in the weakest link—

Eperio relies on two assumptions:

increasing the certainty of the tally does not necessarily add

1) The function Commit(m, r) is perfectly binding. That security overall! Further attention should be paid to methods

is, for any m1 such that Commit(m1 , r1 ) = c1 , there for increasing partition in the receipt check, or introducing

does not exist any r2 and m2 6= m1 such that mechanisms to capture all the receipts. The only system we

Decommit(c1 , r2 ) = m2 . are aware of to address this is VoteBox, which includes their

2) The function PublicCoin() is perfectly unpredictable earlier AUDTITORUM protocol that could capture all receipt

before invocation. information [37].

Let tr(P 0 (E,Ω),V(M,Z)) (α) denote a transcript of a proof b) Print Audit: Next consider tr(P 0 ,V) (C, L, Rz ) which

given by a malicious prover with private information E(i,j,k) is used to determine if the linkage list, L, implies that the

and Ω to an honest verifier with challenges M and Z. The ballots were printed in a way that is consistent with the binary

proof concerns some public information α. We shorten the relation R(E(i,1,k) , E(i,3,k) ) for all i and k. These values

notation to tr(P 0 ,V) (α). Given a transcript, V will decide in are committed to in C and the partial relation E(i,2z+1,k) is

PPT-time to either ACCEPT or REJECT the transcript as a opened by Rz .

valid proof. If a malicious prover misprints b0p ballots, and 0 ≤ p2 ≤ 1

The logic of V’s strategy in terms of the three types of is the fraction of ballots that are print audited, the probability

0

verification is as follows, of a modified ballot being selected for audit is 1 − (1 − p2 )bp .

Pr@RejectV D

There are different ways to misprint a ballot, however any

surjective modifications are trivially detectable. Consider a 1.000 æææææææææææææææææææææææææ

æææ

misprinted ballot to be one that bijectively swaps the order æ

æ

of some candidates. 0.998 æ

P 0 could escape detection by decommiting to the misprinted æææææææææææææææææææææææææææææææææææææææ

value, however we assume this is impossible by soundness 0.996 æ

**assumption 1. Instead, P 0 must assert which i in E(i,j,k) 0.994
**

matches the printed ballot. For a given k, P 0 could choose

i such that E(i,1,k) is correct, and will escape detection if 0.992 æ

**the coin flip is 0 but be detected if z = 1. Alternatively, the
**

prover could choose the row such that E(i,3,k) is correct, and 0.990 x

5 10 15 20 25 30 35 40

will escape detection if z = 1 but be detected if z = 0. Given

the second soundness assumption, P 0 cannot predict z to a Fig. 4. The Weakest Link. The probability that the transcript of an

E2E-enabled election will be discovered to be unsound, given ballots were

probability better than 1/2 for each instance 1 ≤ k ≤ x. In manipulated in an attempt reverse the outcome, is the minimum of two data

this case, series: a receipt audit (horizontal line) and tally audit (asymptote). The tally

audit converges on 100% as the number of proof instances, x, is increased.

The receipt audit however is a function of the number of voters checking their

0 1

Pr[REJECTP 0 ,V2 ] = (1 − (1 − p2 )bp )(1 − ). (3) receipts relative to the incidence of fraud. For example, if only a random 5% of

2x voters checked their receipts in a tight race, such as the 2008 Minnesota senate

In our estimate, a real-world adversary is unlikely to gain race in which the victory margin was 225 votes, the probability of detecting the

fraud would be 99.7%, meaning at x = 9, committing to additional instances

from misprinting ballots. The attack would begin with some would not have increased overall effective soundness.

prior knowledge of the expected distribution of votes—e.g.,

pre-election polls showing another candidate leading or an ex-

pected bias for a given precinct—and would involve mapping trustees could use such an attack to explicitly move votes from

the leading candidate’s votes to the adversary’s preferred can- one candidate to another in τ .

didate and the least preferred candidate to the main competitor. d) Overall Effective Soundness: We assume P 0 will

With x = 20 and 5% of ballots being print audited, the election adopt a proof strategy that minimizes the soundness of the

authority can be 99% certain that no more than 89 ballots were proof. Thus given a transcript with an incorrect public input,

misprinted and 50% certain that no more than 13 were. With the probability of it being rejected by V is,

20% checked, no more than 20 ballots were misprinted with

99% certainty and no more than 3 with 50% certainty. While a 0

**99% detection rate tolerates a fairly high number of misprinted Pr[REJECTP 0 ,V ] = min[(1 − (1 − p1 )br ),
**

ballots, this attack is marginalized by the observation that a 0 1 1

(1 − (1 − p2 )bp )(1 − x ), (1 − x )]. (5)

successful execution will only probabilistically gain votes for 2 2

the attacker. For example, if working from poll data showing By estimating p1 and b0r , we can use this equation to

a 51-49% split between two candidates, misprinting 89 ballots determine a suitable x for our implementation. For example, if

will on average only net the attacker 2 votes. the close 2008 Minnesota senate race was run with Eperio, the

c) Tally Audit: Finally consider the verification that attacker would need to modify at least 113 marks to overthrow

the now validated receipt list, ρ, implies that the asserted the 225 victory margin.7 Setting aside misprinted ballots, if say

tally, τ , is correct. The partial relation E(i,2z+1,k) is opened 5% of voters would check their receipts, an incorrect ρ will be

by R(z+1,j) and can be considered along side E(:,2,:) ). detected with 99.7% certainty. Thus x must be increased until

If z = 0, this pair of values should match ρ. If z = the probability of detecting an incorrect τ is greater than this

1, the pair should match τ . Thus our consideration is probability, which occurs at x = 9 instances. This is shown in

ACCEPTV3 (tr(P 0 ,V) (C(i,j) , ρ, τ, E(:,2,:) , R)). Figure 4.

If E(:,2,:) is correct, then the tally produced by any E(i,3,k)

is also correct. However if E(:,2,:) is not correct, it is possible

for P 0 to assert a tally τ 0 that is incorrect and acceptable to C. Computational Secrecy

V. For a given k, P 0 could choose E(:,2,:) to match τ , and We now prove that Eperio achieves computational secrecy.

will escape detection if the coin flip is 0 but be detected if This relies on the following assumptions:

z = 1. Alternatively, P 0 could choose E(:,2,:) to match τ 0 , and 1) The maximum number of colluding trustees is t.

will escape detection if z = 1 but be detected if z = 0. Given 2) At least one trustee submits to DKG an fi drawn with

the second soundness assumption, P 0 cannot predict z to a uniform randomness from Ztl .

probability better than 1/2 for each instance 1 ≤ k ≤ x. In 3) All outputs are computed with a blackbox.

this case, 4) Any polynomial-sized output from PRNG(κ) provides

no non-negligible advantage to a PPT-bounded adversary

1 in guessing either κ, the next bit in the output, or any

Pr[REJECTP 0 ,V3 ] = (1 − ). (4)

2x unobserved previous bit.

In terms of real-world adversaries, this verification step is

very important. Like in the receipt check, a malicious set of 7 http://electionresults.sos.state.mn.us/

5) The function Commit(m, r) is semantically secure and from L or knowledge of one’s own receipt) and output non-

computationally hiding. That is, given either c1 = negligible information about how the permutation maps other

Commit(m1 , r1 ) or c2 = Commit(m2 , r2 ) for any pairs not in L. Given that the Permute() and PermuteBlock()

chosen m1 and m2 , a PPT-bounded adversary should functions are implemented with perfect shuffles, RecoverSel0 ()

have no non-negligible advantage in guessing which cannot be polynomial in time unless if the PRNG(), its seed κ,

message was committed to. or all the trustee shares follow a distinguishable distribution.

Our approach will be to demonstrate that a transcript As shown by cases (ii-a) and (ii-b) above, this cannot be.

provides a malicious verifier, V 0 , with no non-negligible in- Similarly, the information leaked by R is addressed by case

formation about which candidate was selected for any ballot (ii) above.

in the election. Let RecoverSel be a PPT-algorithm that returns This demonstrates that the Eperio verification protocol is

1 if it successfully recovers such information. Note that computationally secret in a single instance. We complete the

given a correct list of receipts and tally, some information proof by considering the composition of multiple instances

may be determinable. For example, the adversary may be of independently shuffled tables. Give a single instance, k, is

able to determine if a voter abstained or voted randomly secure, consider as an inductive step the addition of k + 1,

(if the adversary instructs voters to, say, always mark the

first position). If everyone votes for the same candidate then

RecoverSel will trivially succeed. For reasons such as these, |Pr[RecoverSel(ViewV 0 (ρ, τ, C(:,k) , C(:,k+1) , L(:,k) ,

we define a baseline success, ψ, which depends on the security L(:,k+1) , E(:,2,k) , E(:,2,k+1) , Rz,k , Rz,k+1 ) = 1] −

of the voting interface (out-of-scope in our paper) and only Pr[RecoverSel(ViewV 0 (ρ, τ, C(:,k) , L(:,k) ,

theorize that Eperio is computationally secret relative to ψ.

E(:,2,k) , R(z,k) ) = 1]| ≤ 5 (9)

**Pr[RecoverSel(ViewV 0 (ρ, τ )) = 1] , ψ (6) Given the output of instance k, we show how a deterministic
**

polynomial time simulator could generate a second transcript,

We begin by proving, k+1, that is indistinguishable from a real transcript. Intuitively,

there is only one set of marks E(:,2,:) that will satisfy the

binary relation B(E(i,1,k) , ρ). However there are many permu-

|Pr[RecoverSel(ViewV 0 (ρ, τ, C)) = 1] −

tations of E(i,3,k) that satisfy the binary relation B(E(:,2,:) , τ ).

Pr[RecoverSel(ViewV 0 (ρ, τ )) = 1]| ≤ 1 + 2 . (7) The output of Eperio only proves that τ is correct, it does not

give any information about which receipts the votes for each

Assume there exists a polynomial time algorithm

candidate in τ came from. Any mapping of the results in τ

RecoverSel0 () that can distinguish these two views with

is plausible, and the simulator, SV 0 , only needs to generate a

greater than negligible advantage. Such an algorithm could

transcript of one of them.

take as input any set of commitments C and return non-

SV 0 will generate E such that E(i,1,k+1) is randomly shuf-

negligible information about the messages committed to.

fled along i for k+1. Next, SV 0 will fill in E(:,2,k+1) according

Consider two cases: (i) the random factors in the commitments

to ρ. Then, SV 0 will fill in E(i,3,k+1) for each i in L(i,j) with

are indistinguishable from uniform randomness and (ii) the

the appropriate candidate. Finally, SV 0 will randomly assign

random factors are distinguishable by a bounded V 0 .

candidates to the rest of E(i,3,k+1) such that τ is satisfied. The

Case (i) is in violation of assumption 5. Given RecoverSel0 ()

simulator will commit to this, generating C(i,j) .

runs in polynomial time, it cannot achieve more information

than . Let this information be 1 . If case (ii) holds, this can be The verifier, V 0 , will observe random bits Zi and challenge

further broken into two cases: (ii-a) the output of the PRNG() SV 0 to reveal R(z+1,j) . Since we have gone through the

function follows some distinguishable distribution and (ii-b) difficulty of validating all of the public parameters, SV 0 ’s

the seed to the PRNG() function follows some distinguishable output will be acceptable at this stage with probability 1. It

distribution. Case (ii-a) is in violation of assumption 4 which does not need to rewind the protocol.

implies that if RecoverSel0 () runs in polynomial time, it cannot Consider a bound on the size of E for a given Ω. Recall that

achieve more information than . Let this information be 2 . b is the number of ballots, s the number of selections, and x

Given that DKG() is information theoretic, case (ii-b) can only the number of instances. The construction of E(i,j,k) requires

hold if all of the trustee shares follow a known distribution, a two permutations, ΠS = s!b and ΠE = (bs)!x , while R(i,j)

violation of case (ii-b). requires two l-bit random factors for each instance, yielding

Now consider the following, 22xl possible values. The number of random bits for any E

is thus on the order of 2xl + b · O(s log s) + x · O(bs log bs).

For large enough b and s, this is much greater than the l

|Pr[RecoverSel(ViewV 0 (ρ, τ, C, L, E(:,2,:) , Rz ) = 1] bits of true randomness in κ. Thus, only a small subset of

−Pr[RecoverSel(ViewV 0 (ρ, τ, C)) = 1]| ≤ 3 + 4 . (8) E are possible outputs of the described protocol. Due to the

properties of the PRNG, a bounded simulation strategy cannot

Again assume RecoverSel0 () can distinguish these two distinguish this subset from a randomly generated E however a

views with greater than advantage. Such an algorithm could unbounded V 0 can. This is the intuition behind Eperio offering

take as input several input-output pairs of a permutation (e.g., only computational secrecy.

D. Everlasting Privacy of the recent occasions where end-to-end verifiable voting

We now briefly sketch how to modify Eperio to achieve systems were used in real-life binding elections, semi-trusted

everlasting privacy. It requires three simple modifications. computers were deployed: e.g., Punchscan at the University of

First, the commitment function is replaced with one that is Ottawa [20], Helios at Université Catholique de Louvain [2],

perfectly hiding and computationally binding. This affects the and Scantegrity at Takoma Park, MD [14].

soundness proof as committed values can be opened, by an

unbounded adversary, to any value. Therefore the soundness of Cryptographic Commitment

the argument is only as hard as the computational bindingness We are interested in using file encryption as a commitment

of the commitments. This also changes assumption 5 of the function. Specific to Eperio, the columns of the Eperio table

secrecy proof. Second, trustees generate all of the randomness will be put into a file of a standard format, such as the comma-

needed to do the permutations and random factors. From a separated values (CSV) format, and an encryption of the file

practical standpoint, this significantly increases the complexity will be posted as a commitment to it. Later, the encryption key

of the protocol as a DKG is needed to threshold share will be revealed to open the file (making it a commitment with

every piece of randomness. Finally, given the direct source message recovery). While our implementation of Eperio can

of randomness, the PRNG can be eliminated. This removes be easily modified to work with any standard commitment

assumption 4 of the secrecy proof. function, we use this approach to simplify the experience

The first 3 secrecy assumptions still hold, demonstrating for voters who want to verify the proof for themselves. File

that everlasting privacy is achievable but only within a narrow encryption utilities are readily available, easy to use and fits

view of the protocol. For example, if at least t + 1 trustees within the common mental model of encryption: a secret

reveal their private inputs, privacy can still be broken. This message is protected by a secret and symmetric key.

holds for any distributed voting system in the literature.

Conjecture 1: Define a hiding-only “commitment”

function as (c, IV) ← WeakCommit(m, r) =

V. P RACTICAL P RIMITIVES

Er (IV, m), where E is a pseudorandom permu-

In this section, we revisit a few of the cryptographic tation using a chosen plaintext attack (CPA) se-

primitives needed in Eperio. In particular, we are interested cure mode of operation with initialization vector

in options that allow for useful deployment options. IV. While not binding, we conjecture that such

a “commitment” is computationally hiding.

Blackbox Computation Proof Sketch: To address the hidingness, consider an attack

The Eperio protocol requires the generation of the Eperio game where an adversary A provides equal-length messages

table to be done using a blackbox computation. While in m1 and m2 to an oracle O. O generates a random value r

theory, the task performed by the blackbox could be made and IV, flips a coin z, and returns (cz , IV) = Er (IV, mz ).

into a multiparty computation (where only privacy is required A must guess if cz is a commitment to m1 or m2 (or that

as correctness is provided by Eperio), we instead propose the both are possible under a different r). Assume an algorithm

use of a semi-trusted computer. z ← Ah (m1 , m2 , cz , IV) exists that can guess z correctly with

A semi-trusted computer in this context is only trusted to non-negligible advantage. It is straightforward to see how this

provide private evaluation of functions; the correctness can be algorithm would provide an advantage in a chosen plaintext

determined through the audit. However, to prevent elections attack game: the adversary would submit the CPA challenge

from having to be rerun when a post-election audit reveals values to Ah and respond with z. Since the scheme is assumed

errors or fraud, mechanisms are provided to encourage correct to be CPA-secure (heuristically in the case of something like

evaluation. We assume that source code for the functions to be AES-CBC), Ah can be assumed to be not computable by

evaluated is provided for inspection prior to its use, and the a PPT-bounded adversary. Thus the commitment scheme is

computer is capable of providing an attestation mechanism computationally hiding and conjecture 1 holds.

to assure the trustees that the same verifiable code is being Breaking the bindingness of WeakCommit is, of course,

booted on the computer. We also assume that trustees can trivial as Dr (IV, c) = m for a random r is overwhelmingly

interact with the trusted computer over a physically untappable likely to reveal an m 6= m1 . However, in this particular

channel to submit their secret shares. This could be plugging application, de-committing to an arbitrary string of bits is

a USB stick with the share into the computer. The software unlikely to be of use should an adversary actually wish

should be suitably hardened to prevent trustees from injecting to decommit to something meaningful. This is akin to the

code or conducting a buffer overflow attack when entering difference between existential forgery and selective forgery

their shares. in MAC security (or collision resistance and target collision

Eperio is a stateless protocol. All tasks performed by the resistance in hash function security). Consider a game where

trustees can be accomplished by regenerating the Eperio table, O chooses a random m1 and m2 and provides this to A. A

and the regeneration of this table can be accomplished through must find an r1 and r2 such that Er1 (IV, m1 ) = Er2 (IV, m2 ).

a threshold of secret shares from the trustees. Therefore the Assume an algorithm Ab exists that can return such a r1

computer should not have any persistent memory and its and r2 . We do not pursue an intractability argument for Ab as

internal state should be purged after the outputs have been it implies a weaker commitment function than those standard

published. While this assumption may seem strong, in each in the literature. For example, with a Pedersen commitment

[33], finding any (m, r) pair, meaningful or not, is as hard as cipher, under the assumption that the block cipher models a

the discrete logarithm problem. Instead, we will demonstrate pseudorandom permutation, a CPA-secure mode of operation

a commitment for which it is statistically unlikely that such a is selected, and the keyspace is equal to the message space.

pair could exist. In particular, if |c| |m| × |r|, this property We model this ideal functionality in the real-world with AES-

could hold. We cannot decrease |r| without ramifications for 128-CBC in the next section.

the hidingness of the commitment, however we can effectively

increase the |c| : |m| ratio by adding redundancy to m prior Public Coin Toss

to committing to it.

Voting systems often require the use of a public coin (or

Conjecture 2: Define a commitment function as

beacon) for the purposes of fairly implementing the cut-and-

(c, IV) ← Commit(m, r) = Er (IV, mkf (m)),

choose aspect of the audits. In the case of conventional voting,

where E is a pseudorandom permutation us-

it is used to select precincts for manual recounts. Cordero

ing a CPA-secure mode of operation. We con-

et al. suggest a protocol using dice [18]. Clark et al. note

jecture that such a commitment is computa-

that dice outcomes are only observable by those in the room,

tionally hiding and statistically binding for an

and suggests a protocol for auditing E2E ballots using stock

appropriate choice of f . We define m0 ←

market prices and volumes [16]. This was suggested earlier

Decommit(c, IV, r) = Dr (IV, c), which is only

by Waters et al. outside of the voting context [38]. A further

accepted when m0 has the correct form mkf (m).

alternative is to use the Fiat-Shamir heuristic [22], which is

Proof Sketch: The hiding property remains intact from secure in the random oracle model. However, a requirement

WeakCommit. We say Commit is statistically binding for a for Fiat-Shamir is that the challenge space is large. In our

correctly formed m0 if, case, the number of challenge bits is the same as the number

of proof instances, which is unsuitable for 10 or 20 instances.

p , Pr[∃m0 s.t. (c, IV) = Commit(m0 , r0 )| Thus, we use the stock market protocol as follows: the output

from a statistically-sound PRNG is seeded with a hash of a

(c, IV) = Commit(m, r) & m 6= m0 ] ≤ negl(|r|). (10)

pre-selected portfolio of closing stock prices and volumes.

(We will abuse notation by reusing variable names from Evaluation of challenges occurs at least a full business day

the previous section.) Consider f (m) = mkm; that is, after the audit data has been committed to [16].

Commit(m, r) = Er (IV, mkmkm). If so, the probability p

of an m0 and r0 , as defined in Equation 10, existing given VI. I MPLEMENTATION

an m and r takes the following form where x is the size of In this section, we consider implementation possibilities for

domain of the commitment function and y, the co-domain. the verification interface of an election run using Eperio. The

requirements for the receipt check (proof of Property 1b in

1 Section II) and the first component of the print audit (proof of

p = 1 − (1 − )x−1 (11)

y Property 1a) primarily involve looking up an serial number in

Let the input to E be a message block of bit-length |m̄| a sorted list and therefore are simplistic enough to not require

and a key of bit-length |r|. For a message with b blocks their own implementation per se. The requirements for the

(|m| = b|m̄|), the domain of Commit is x = 2|r|+b|m̄| . The 2 tally audit (proof of Property 1c) and the verification of the

repetitions of |m| are fixed by choice of the domain, and the print audit linkage lists will however require symmetric-key

initialization vector is a constant. The co-domain is y = 23b|m̄| , file encryption and basic data operations and will be the subject

with the factor of 3 due to the redundancy function f . We of our discussion. We present three options for implementing

are interested in an upper-bound to equation 11 with these the encryption and data operations individually, as well as one

values of x and y. As we are not trying to prove a general “all-in-one” option as a future possibility.

case, assume for simplicity that |m̄| = |r|, and note that b is a

positive integer such that p is maximized when b is minimized. A. Overview

The upper bound at b = 1 is given as Equation 12. We assume each instance of the receipt list E(:,1,i) and

candidate list E(:,3,i) are generated during the black-box

1 22|r| −1 computation and written into their own CSV file. These files

p ≤ 1 − (1 − ) (12)

23|r| shall be encrypted individually, under their own independently

22|r| derived secret-key, using standard file encryption software in

≈ 1 − exp(− 3|r| ) (13)

2 accordance with the commitment scheme described in the

= 1 − exp(−2−|r| ) (14) previous section. The encrypted files are posted to the bulletin

≤ negl(|r|) (15) board prior to the election along with an election definition.

After the election, each instance of E(:,2,i) is computed in a

Equation 13 follows from the approximations that (1 − black-box computation and put into a CSV file and posted (in

1/y)x ≈ exp(−x/y) and (1 − 1/y)−1 ≈ 1 for large y. plaintext) to the bulletin board alongside an asserted receipt-

We have demonstrated a very specific statistically hiding and tally-lists. After the passing of a business day, the closing

commitment function that can be constructed from a block prices of the stock market are used to generate a public audit

challenge. For each instance i the secret key to one of either TrueCrypt file dialog. The user can then work in the spread-

E(:,1,i) or E(:,3,i) is challenged to be published. As a means of sheet with the decrypted file directly from the mounted True-

simulating the append-only property of the bulletin board, we Crypt volume. Spreadsheets offer the advantage that verifiers

assume verifiers will download these files as they are made can manually work through the audit process without having

available. to examine or understand custom software code. The data

operations themselves are basic: copy, paste, sort and compare

data columns from several different files. We tested the manual

B. Standalone File Encryption and Small Custom Codebase verification steps in two popular spreadsheet applications:

This first implementation option is most closely related Microsoft Excel 2007 and OpenOffice.org Calc 3.0. The full

those of existing systems: verifiers write a program in their version of this paper provides a set of directions for manual

favorite language to perform the verification steps. It is also verification using OpenOffice Calc.

the option with the most technical requirements: the ability Although the integrity proofs could be performed manually

to write (or analyze) software code and use a command-line by a user in a few basic spreadsheet operations, the repetition

interface. of checking multiple instances can become tedious to a user,

Implementation Option 1 (OpenSSL and and for this reason we consider automating the process using

Python): A Phython script externally calls spreadsheet macros. This third option combines the conve-

OpenSSL to decrypt relevant files and then nience of executing a custom code base with the widespread

performs the audits using those files. pre-existing availability of spreadsheets.

Implementation Option 3 (TrueCrypt and

We implemented proofs of properties (1a) and (1c) in a

Spreadsheet Macros): A verifier decrypts in-

compact fifty (50) lines of Python code, and have placed it

dividual files, mounting them as TrueCrypt vol-

online along with sample election audit data8 . As will be

umes, and uses a spreadsheet macro to perform

discussed in the following section, this represents the smallest

data operations.

implementation of a verification interface relative to other

major implementations by an order of magnitude. We tested Spreadsheet macros also offer the advantage of easy execution

this implementation on Ubuntu 7.10 (Python 2.5) and 9.10 from within the application. Excel allows easy viewing and

(Python 2.6) as well as on Mac OSX Leopard and found that editing of the macro source code using a built-in VBA

it could be executed directly from the command-line without development environment. As a downside, Excel 2007 is not

any other user action (i.e., without additional installation or configured by default to run unsigned macros. These security

configuration). Verifiers using Windows would be required to warnings may be contradictory to the user’s expectations in

install Python and OpenSSL, or as an alternative, they could the context of a security proof, however the warning can be

be directed to burn an Ubuntu live cd, and with the election eliminated by purchasing a code signing certificate from a

data and verification script on a USB key, could run the entire commercial authority for a fee.

audit without actually installing software on their machine.

D. Spreadsheets as an All-in-one Solution?

C. Standalone File Encryption and Spreadsheets Most major spreadsheets, including Calc and Excel, provide

built-in file encryption, suggesting commitments could be

An interesting alternative to writing a custom codebase

issued as encrypted workbooks. Although there is no funda-

is to use a spreadsheet which can import a CSV file as a

mental reason why a spreadsheet could not provide secure file

worksheet. We believe that spreadsheets can help broaden the

encryption, spreadsheets ultimately are not designed with doc-

real-world appeal of E2E verification, given many citizens

ument security as a priority. Indeed improper implementation

who are not accustomed to reading or writing software do

of RC4 in Microsoft Office 2003 [39], as well as only allowing

use spreadsheets. Spreadsheets have grown to become one of

40-bit keys, rightfully contributes to a sense of skepticism

the most familiar computer applications, capturing a diverse

about whether spreadsheets (even current versions) can provide

cross-section of users in government, enterprise, and consumer

the necessary security properties for our purpose. Office 2007

sectors. Because we are offering spreadsheets as a less tech-

uses 128-bit AES encryption in CBC mode9 and OpenOffice

nical alternative, we pair it with a file encryption utility that

uses 128-bit Blowfish in cipher-feedback (CFB) mode10 . At

has a graphical user interface.

a cursory level, the fundamentals of a secure commitment

Implementation Option 2 (TrueCrypt and scheme seem present.

Spreadsheets): A verifier decrypts individual However digging deeper reveals some potentially unde-

files by mounting them as TrueCrypt volumes, sirable properties. OpenOffice in particular has a privacy

and performs the audits using those files manu- weakness that would render it unsuitable to enforce the hiding

ally in a spreadsheet. property of a cryptographic commitment. Specifically at issue

The cryptographic operation requires the user to copy and is OpenOffice’s hashing of the first kilobyte of the compressed

paste an ASCII encoded key from a spreadsheet cell into a workbook and storing this hash (called SHA1/1k)—unsalted

8 Verification reference implementation and sample election data available 9 MS-OFFCRYPTO: Office Document Cryptography Structure v1.06

at: http://www.sites.google.com/site/eperiovoting 10 Open Document Format for Office Applications (OpenDocument) v1.2

and unencrypted—in the encrypted file’s meta data. This of comparison a sample election of Helios v1. may provide

vulnerability would conceivably allow an adversary to recover some insight: here a ballot with 4 selections, 500 ballots and

at least the first portion of the encrypted column E(:,j,i) using 80 proof instances took approximately 4 hours to complete [1].

a brute-force search on the reasonably small space of possible A simulated dataset of a similarly sized Eperio election took

values the cells could hold while being sensible in the context 1.13 seconds to complete. We note however that Helios v2. is

of an election. This could potentially result in the receipt- a fundamentally different proof mechanism and thus in many

candidate associations of several voters being identifiable. ways, a direct comparison is difficult to make. However the

It would appear that current spreadsheets are not quite major differences in the performance of Helios’ verification

yet suitable for implementing cryptographic commitments. interface, both in code size and execution time can largely

However the prospect of an “all-in-one” election verification be attributed to the use of specialized homomorphic public-

tool already being installed on most voters’ computers is an key operations. Finally, and because of this, Helios requires

intriguing one. Until that time comes however, we shall con- custom cryptographic software components.

sider spreadsheets solely for the non-cryptographic operations Scantegrity: The Scantegrity II system was used in a

of election verification. municipal election in Takoma Park, Maryland in 2009. This

was an optical-scan based election consisting of 6 wards

E. Understanding Errors each of 5000 ballots and 20 proof instances. There were

two independent audits performed (supra. note 3). The first

It is important that any verification interface be able to implementation consisted of almost 850 lines of Python. We

communicate meaningful error messages so that a user is had an unresolvable execution issue that allowed us to only

reasonably able to distinguish between a user error (e.g., partially verify the election using this codebase, but we found

missing files, using the wrong key, etc) and an election data that auditing one ward took at least 7 minutes. The second

error (e.g., failed decommitment, inconsistent tables, etc). In implementation consisted of almost 900 lines of Java and

the former case, an error would have to convey which action required 56 seconds to complete. A simulated dataset of a

the user can take to resolve the problem. In the latter case, the similarly sized Eperio election took 29.0 seconds to complete.

error should be able to convey how to seek further assistance. We acknowledge however that Scantegrity is a more mature

User studies would be necessary to determine whether a implementation which factors in additional features (provi-

script’s error handling was suitable for this. Note that error sional ballots, dispute resolution and public coin verification)

messages are not possible with implementation option 2, and that we leave for future work. Despite this, we contend that

therefore a well annotated instruction manual (or video) would the performance increases over Scantegrity are fundamental,

be necessary. and can be attributed to three features: linkage lists, column-

wise commitments, and the inherent “net-less” structure of the

VII. P ERFORMANCE C OMPARISON E-table.

Several implementations of E2E systems exist, however we

only consider the performance and code length of Eperio’s VIII. R ELATED W ORK

verification interface relative to systems that have recently con- Throughout the 1980s and 1990s, many protocols for crypt-

ducted binding elections: Punchscan, Helios, and Scantegrity. ographic voting were proposed, the majority based on either

Specifically we compare the Eperio reference implementation mix networks, originating with Chaum [12], or additive homo-

(option 1—Python) to the implementations of the these sys- morphic encryption, originating with Benaloh and Tuinstra [8].

tems. All Eperio timing data was performed on a 2.4GHz Duo The first generation of mixnet protocols appeared before

Core MacBook Pro (MB470). Our Eperio verification interface techniques for provably correct mixing were known, including

is implemented in 50 lines of code. a well-studied protocol by Fujioka et. al [23], while second

Punchscan: The Punchscan system was used in a student generation protocols, originating with Sako and Killian [36],

election at the University of Ottawa in 2007. This was an use a correctness proof.

optical-scan election consisting of 12 selections, 5000 ballots Recently, implementation issues are given more consider-

and 10 proof instances. The provided verification software ation. VoteHere [32] and Votegrity [13] are early electronic

consists of approximately 2000 lines of C#. We ran their audit systems where voters do not need to perform traditional

software on their provided election data and found it took 75 cryptography, while VoteBox [37] allows voters to obtain

seconds to complete. In comparison, a simulated dataset of a an encrypted ballot from an untrusted machine using a cut-

similarly sized Eperio election took 9.3 seconds to complete and-choose protocol due to Beneloh [7]. Prêt à Voter [15],

with our reference implementation. Punchscan [34], Scratch & Vote [3], ThreeBallot [35], and

Helios: The Helios v2. system was used in a student Scantegrity [14] are examples of systems that use paper

election at the Université catholique de Louvain in 2009 [2]. ballots, require no cryptography for vote capture, and offer

This was an internet-based election consisting of approxi- a privacy preserving receipt to each voter. Civitas [17] is an

mately 4000 voters who voted for a university president. We internet system based on a protocol by Juels et al. [27] for high

were unable to make a comparison with Helios verification coercion elections, while Helios is designed for low coercion

code as used in the UCL election: no timing data for the internet elections [1].

audits was given and the UCL bulletin board data appears The cryptographic proofs in these systems use a variety of

to have been taken offline at the time of writing. As a point approaches, including zero-knowledge proofs, cut-and-choose

protocols, and randomized partial checking [26]. Eperio is [18] A. Cordero, D. Wagner, and D. Dill. The role of dice in election audits.

perhaps closest to Scantegrity, which also breaks election WOTE 2006.

[19] Election Data Services Inc. Voting equipment summary by type as of

data into markable regions and uses a blackbox computation. 11/07/2006. 2006.

However Eperio uses a more compact data structure, no [20] A. Essex, J. Clark, R. T. Carback, and S. Popoveniuc. Punchscan in

pointers, and does not need to commit at the high level of practice: an E2E election case study. WOTE 2007.

[21] Federal Constitutional Court of Germany. Judgement 2 BvC 3/07, 2

granularity that Scantegrity does. BvC 4/07, Verfahren über die Wahlprüfungsbeschwerden, 2009.

[22] A. Fiat and A. Shamir. How to prove yourself: practical solutions to

identification and signature problems. CRYPTO ’86.

IX. C ONCLUDING R EMARKS [23] A. Fujioka, T. Okamoto, and K. Ohta. A practical secret voting scheme

The contemporary verification process for electronic voting for large scale elections. In ASIACRYPT ’92.

[24] E. Hubbers, B. Jacobs, and W. Pieters. RIES: Internet voting in action.

is deficient. Independent security reviews are generally rare, COMPSAC 2005.

time-constrained affairs subject to non-disclosure. While we [25] S. Inguva, E. Rescorla, H. Shacham, , and D. S. Wallach. Source code

advocate greater transparency for existing election technology, review of the Hart InterCivic voting system. State of California’s Top

to Bottom Review, 2007.

we also contend that end-to-end verification offers a distinct [26] M. Jacobsson, A. Juels, and R. L. Rivest. Making mix nets robust

advantage: verification becomes a task of checking election for electronic voting by randomized partial checking. USENIX Security

data not software and equipment. This may appear to simply Symposium 2002.

[27] A. Juels, D. Catalano, and M. Jacobsson. Coercion-resistant electronic

shift the problem: the prevailing methods for verifying E2E elections. WPES 2005.

election data is with software. However it is not a simple shift. [28] J. Katz. Universally composable multi-party computation using tamper-

In nearly all E2E systems, the verification code is smaller than proof hardware. EUROCRYPT ’07

[29] T. Kohno, A. Stubblefield, A. D. Rubin, and D. S. Wallach. Analysis of

the hundreds of thousands of lines of code in a modern DRE. an electronic voting system. IEEE Symposium on Security and Privacy

With Eperio, it is much smaller—four orders of magnitude 2004.

smaller—and verification can even be performed manually [30] T. Moran and M. Naor. Split-ballot voting: Everlasting privacy with

distributed trust. CCS 2007.

without any code. By making verification more accessible [31] T. Moran and G. Segev. David and Goliath commitments: UC computa-

to voters, we contend that Eperio is an important democracy tion for asymmetric parties using tamper-proof hardware. EUROCRYPT

enhancing technology. ’08.

[32] C. A. Neff. Practical high certainty intent verification for encrypted

votes. Technical report, VoteHere, 2004.

R EFERENCES [33] T. P. Pedersen. A threshold cryptosystem without a trusted party.

EUROCRYPT ’91.

[1] B. Adida. Helios: web-based open-audit voting. USENIX Security [34] S. Popoveniuc and B. Hosp. An introduction to Punchscan. WOTE

Symposium 2008. 2006.

[2] B. Adida, O. de Marneffe, O. Pereira, and J.-J. Quisquater. Electing a [35] R. L. Rivest and W. D. Smith. Three voting protocols: Threeballot, VAV,

university president using open-audit voting: analysis of real-world use and Twin. EVT 2007.

of Helios. EVT 2009. [36] K. Sako and J. Kilian. Receipt-free mix-type voting scheme: a practical

[3] B. Adida and R. L. Rivest. Scratch & Vote: self-contained paper-based solution to the implementation of a voting booth. EUROCRYPT ’95.

cryptographic voting. WPES 2006. [37] D. R. Sandler, K. Derr, and D. S. Wallach. VoteBox: a tamper-evident,

[4] A. W. Appel, M. Ginsburg, H. Hursti, B. W. Kernighan, C. D. Richards, verifiable electronic voting system. USENIX Security Symposium 2008.

G. Tan, and P. Venetis. The New Jersey voting-machine lawsuit and the [38] B. Waters, A. Juels, J. A. Halderman, and E. W. Felten. New client

AVC Advantage DRE voting machine. EVT 2009. puzzle outsourcing techniques for DOS resistance. CCS 2004.

[5] A. Aviv, P. Cerny, S. Clark, E. Cronin, G. Shah, M. Sherr, and M. Blaze. [39] H. Wu. The misuse of RC4 in Microsoft Word and Excel. Cryptography

Security evaluation of ES&S voting machines and election management ePrint Archive, 2005/007, 2005.

system. EVT 2008. [40] United States Election Assistance Commission (EAC). The 2008

[6] J. Benaloh. Verifiable secret-ballot elections. PhD thesis, Yale Univer- voluntary voting system guidelines (v1.1), 2009.

sity, 1987.

[7] J. Benaloh. Simple verifiable elections. EVT 2006.

[8] J. Benaloh and D. Tuinstra. Receipt-free secret-ballot elections. STOC

1994.

[9] M. Blaze, A. Cordero, S. Engle, C. Karlof, N. Sastry, M. Sherr,

T. Stegers, and K.-P. Yee. Source code review of the Sequoia voting

system. State of California’s Top to Bottom Review, 2007.

[10] K. Butler, W. Enck, H. Hursti, S. McLaughlin, P. Traynor, and P. Mc-

Daniel. Systemic issues in the Hart InterCivic and Premier voting

systems: reflections on project everest. EVT 2008.

[11] J. A. Calandrino, A. J. Feldman, J. A. Halderman, D. Wagner, H. Yu,

and W. P. Zeller. Source code review of the Diebold voting system.

State of California’s Top to Bottom Review, 2007.

[12] D. Chaum. Untraceable electronic mail, return addresses, and digital

pseudonyms. Communications of the ACM, 24(2), 1981.

[13] D. Chaum. Secret-ballot receipts: true voter-verifiable elections. IEEE

Security and Privacy, 2(1), 2004.

[14] D. Chaum, R. Carback, J. Clark, A. Essex, S. Popoveniuc, R. L. Rivest,

P. Y. A. Ryan, E. Shen, and A. T. Sherman. Scantegrity II: end-to-

end verifiability for optical scan election systems using invisible ink

confirmation codes. EVT 2008.

[15] D. Chaum, P. Y. Ryan, and S. A. Schneider. A practical, voter-verifiable,

election scheme. ESORICS 2005.

[16] J. Clark, A. Essex, and C. Adams. Secure and observable auditing of

electronic voting systems using stock indices. IEEE CCECE 2007.

[17] M. R. Clarkson, S. Chong, and A. C. Myers. Civitas: toward a secure

voting system. IEEE Symposium on Security and Privacy 2008.

A PPENDIX

A. Eperio Audit Data Specification

All (unencrypted and decrypted) election data files are formatted as UTF-8 encoded Comma Separated Values (CSV).

Columns are separated by the delimiter ‘,’ (0x2C) and rows are separated by a carriage return (0x0A).

**File Naming and Formatting Convention
**

For an election of b ballots, c candidates, I proof instances, of which p were print audited, the following files will be

generated and posted to the bulletin board through the course of the election verification timeline

$electionDir$/AssertedReceipts.csv: is a bc × 2 list containing an assertion of all receipt information

created during an election. Each element in (:, 1) is unique election references: s-p where 1 ≤ s ≤ b is a ballot

serial number and 0 ≤ p ≤ c − 1 a mark position. Elements in column (:,2) represent the corresponding mark

state registered during the election, either 0, 1, or -1 indicating the corresponding unique reference was either

unmarked, marked or print audited respectively.

$electionDir$/AssertedTally.csv: is a bc × 2 list containing an assertion of aggregate voting intent

created during an election. Column (:, 1) is a list of b repetitions of c candidate names. Elements in column (:, 2)

represent the corresponding mark state.

$electionDir$/LinkageList.csv: is a p × i + 2 list containing an assertion of the association between

receipt (:, 1) and candidate (:, 2) for all print audited ballots, as well as an assertion of the row number the entry

in each of the I instances of shuffled receipt (U) and tally (S) lists.

$electionDir$/ChallengeKeys.csv: is a i × 2 list containing a respond to the audit challenge. Elements

at (i, 1) represent the relative file path to the file that was challenged: the i-th shuffled instance of the receipt

list $electionDir$/i/Ui or tally list $electionDir$/i/Si respectively. Elements at (i,2) represent the

corresponding revealed decryption key to the file (128-bits, BASE64 encoded).

For each instance 1 ≤ i ≤ I:

$electionDir$/i/Si.csv: is a bc × 3 list representing a shuffled instance of column (:,1) of

AssertedTally.csv repeated three times (as per the commitment scheme described in section V) in columns

(:, 1), (:, 2) and (:, 3) respectively.

$electionDir$/i/Ui.csv: is a bc × 3 list representing a shuffled instance of column (:, 1) of

AssertedReceipts.csv repeated three times as above.

$electionDir$/Marks/Mi.csv: is a bc × 1 list representing a shuffled instance of column (:, 2 of

AssertedReceipts.csv and AssertedTally.csv.

**File Encryption Conventions
**

128-bit file encryption keys are derived by the semi-trusted trustee workstation and BASE64 encoded for convenience of

transmission over the internet. The two file encryption options (OpenSSL and TrueCrypt) use their own password-based key

derivation functions. OpenSSL and TrueCrypt encrypted files are denoted by the .enc and .tcr extensions, and use AES-

128-CBC and AES-128-XTS encryption modes respectively. There is no inherent way to bypass the key-derivation process

of these applications to directly apply a binary key. As such the BASE64 encoded keys are supplied as passwords and each

program (OpenSSL, TrueCrypt, etc) will derive its own (binary) encryption key using its own particular password based key

derivation function. In OpenSSL the workstation applies the -a command option to BASE64 encode the encrypted output for

safe internet transport.

B. Source code for Implementation Option 1 (Python)

1 import csv , os , s t r i n g , t i m e , s y s

2 d e f openCSV ( f i l e N a m e ) :

3 data = []

4 f i l e C o n t e n t s = open ( f i l e N a m e , ’ r ’ )

5 for i in f i l e C o n t e n t s :

6 d a t a . append ( i . s t r i p ( ) . s p l i t ( ” , ” ) )

7 return data

8 def v e r i f y F a i l e d ( errorMsg ) :

9 print errorMsg

10 sys . e x i t ( )

11 def verifyCommitment ( i n s t a n c e ) :

12 o s . s y s t e m ( ” o p e n s s l e n c −d −a e s −128−c b c −a −i n ” + i n s t a n c e [ 0 ] + ” . e n c −o u t ” +

i n s t a n c e [ 0 ] + ” . c s v −p a s s p a s s : ” + i n s t a n c e [ 1 ] )

13 d a t a = openCSV ( i n s t a n c e [ 0 ] . s t r i p ( ’ ” ’ ) + ” . c s v ” )

14 col = []

15 for i in data :

16 i f i [ 0 ] ! = i [ 1 ] or i [ 0 ] ! = i [ 2 ] :

17 v e r i f y F a i l e d ( ” I n v a l i d Commitment ” )

18 return [ i [ 0 ] for i in data ]

19 def getMarks ( i n s t a n c e ) :

20 marks = openCSV ( ” . / Marks /M”+ i n s t a n c e [ 0 ] [ 2 : 4 ] + ” . c s v ” )

21 r e t u r n [ i [ 0 ] f o r i i n marks ]

22

23 a s s R e c e i p t s = s o r t e d ( openCSV ( ’ . / A s s e r t e d R e c e i p t s . c s v ’ ) )

24 a s s T a l l y = s o r t e d ( openCSV ( ’ . / A s s e r t e d T a l l y . c s v ’ ) )

25 pwds = openCSV ( ’ . / C h a l l e n g e K e y s . c s v ’ )

26 l i n k a g e L i s t = openCSV ( ’ . / L i n k a g e L i s t . c s v ’ )

27 f o r i , i n s t a n c e i n e n u m e r a t e ( pwds ) :

28 merged = [ ]

29 d a ta = verifyCommitment ( i n s t a n c e )

30 marks = g e t M a r k s ( i n s t a n c e )

31 for index in range ( len ( data ) ) :

32 merged . a p p e n d ( [ d a t a [ i n d e x ] , marks [ i n d e x ] ] )

33 i f i n s t a n c e [ 0 ] [ 5 ] == ”U” :

34 for b a l l o t , linkage in enumerate ( l i n k a g e L i s t ) :

35 i f l i n k a g e L i s t [ b a l l o t ] [ 0 ] ! = merged [ i n t ( l i n k a g e L i s t [ b a l l o t ] [ i + 2 ] )

− 1][ 0] or merged [ i n t ( l i n k a g e L i s t [ b a l l o t ] [ i + 2 ] ) − 1][ 1] ! = ”−1” :

36 v e r i f y F a i l e d ( ” L i n k a g e l i s t FAIL : R e c e i p t i n s t a n c e #%d d o e s

n o t d o e s n o t match l i n k a g e l i s t ” % ( i + 1 ) )

37 i f a s s R e c e i p t s == s o r t e d ( merged ) :

38 p r i n t ” I n s t a n c e %d v e r i f i e d ” % ( i + 1 )

39 else :

40 v e r i f y F a i l e d ( ” V e r i f i c a t i o n FAIL : R e c e i p t i n s t a n c e #%d d o e s n o t match

a s s e r t e d r e c e i p t l i s t ! ” % ( i +1) )

41 e l i f i n s t a n c e [ 0 ] [ 5 ] == ”S” :

42 for b a l l o t , linkage in enumerate ( l i n k a g e L i s t ) :

43 i f l i n k a g e L i s t [ b a l l o t ] [ 1 ] ! = merged [ i n t ( l i n k a g e L i s t [ b a l l o t ] [ i + 2 ] )

− 1][ 0] or merged [ i n t ( l i n k a g e L i s t [ b a l l o t ] [ i + 2 ] ) − 1][ 1] ! = ”−1” :

44 v e r i f y F a i l e d ( ” L i n k a g e l i s t FAIL : T a l l y i n s t a n c e #%d do \

t e x t t t {BASE64} e n c o d e d e s n o t d o e s n o t match l i n k a g e l i s t

” % ( i + 1) )

45 i f a s s T a l l y == s o r t e d ( merged ) :

46 p r i n t ” I n s t a n c e %d v e r i f i e d ” % ( i + 1 )

47 else :

48 v e r i f y F a i l e d ( ” V e r i f i c a t i o n FAIL : T a l l y i n s t a n c e #%s d o e s n o t match

a s s e r t e d t a l l y l i s t ! ” % ( i +1) )

49 else :

50 verifyFailed ( ” Instance filename is i n c o r r e c t l y formatted ” )

C. User Instructions for Option 2 (Manual Verification)

The following instructions were tested in OpenOffice.org Calc 3.0 and TrueCrypt 6.0a. The user is assumed to have

downloaded all relevant data files to directory /$electionDir$/. Let i represent the instance number the verifier wishes

to check.

**Part I: Verify Commitments
**

In Calc:

• Open $electionDir$/ChallengeKeys.csv

• Let $filePath$ represent the contents of cell Ai

In TrueCrypt:

• Select a free drive letter (without loss of generality assume Z:)

• Click Select File → Select $electionDir$/$filePath$.trc → Open

In Calc:

• Click on cell Bi → CTRL + C

In TrueCrypt:

• Click Mount → CTRL+V → OK

In Calc:

• Open Z:/$filePath$.csv,

• In cell D1 type formula =A1=B1,

• Click on cell D1 once and double click on the square in the bottom right corner of the cell to apply the formula to all

cells in the column,

• In cell E1 type formula =A1=C1,

• Click on cell E1 once and double click on the square as before,

• In cell F1 type formula =COUNTIF(D1:E65536;0),

• If F1 equals 0, the commitment is verified.

**Part II: Comparing decommitted list to assterted list
**

In Calc:

• Let $asserted$ represent $electionDir$/AssertedReceipts.csv if $filePath$ is /i/Ui, otherwise let

it represent $electionDir$/AssertedTally.csv if $filePath$ is /i/Si

• Open $electionDir$/$asserted$.csv,

• Click Data → Sort. Select Sort by Column A (Ascending) and Then by Column B (Ascending) → OK,

• In Z:/$filePath$.csv click on column A → CTRL+C,

• Open $electionDir$/Marks/Mi.csv,

• Right click on column A → Insert Columns → CTRL+V,

• Click Data → Sort. Select Sort by Column A (Ascending) and Then by Column B (Ascending) → OK,

• Holding CTRL click columns A and B → CTRL+C,

• In the asserted list, click column C → CTRL+V,

• In cell E1 type formula =A1=C1 and apply formula to all cells in the column as previously described,

• In cell F1 type formula =B1=D1 and apply to all cells in the column,

• In cell G1 type formula =COUNTIF(E1:F65536;0),

• If G1 equals 0, Z:/$filePath$.csv matches $electionDir$/AssertedReceipts.csv.

**PART III: Comparing decommitted list to linkage list
**

In Calc:

• Let X = A if the asserted receipt list was opened during Part II otherwise let X = B if the asserted tally was opened

instead. Let Y be the i + 2-th letter of the alphabet,

• Open $electionDir$/LinkageList.csv,

• For each print audited ballot 1 ≤ j ≤ p:

**– Click on cell Y j → CTRL+C,
**

– In Z:/$filePath$.csv in the name box (top left) type ‘A’ → CTRL+V → Enter. The audit fails if the contents

of the active (highlighted) cell do not match the contents of cell Xj in the linkage list.

– In $electionDir$/Marks/Mi.csv in the name box type ‘A’ → CTRL+V → Enter. The audit fails if the contents

of the active cell does not equal -1.

- bookUploaded bysolomonfikadie
- QC Final ReportUploaded byFadi Akil
- What is SteganographyUploaded byAarav Sharma
- Course_Descriptions.pdfUploaded byTalha Mehmood
- Essential MattersUploaded bythepoolboy
- IJ0230052Uploaded byjuan perez arrikitaun
- e-Voting Application using Internal VtokenUploaded byBowo Prasetyo
- SS-2 FinalUploaded bychetana
- CURRICULUM OF COMPUTER SCIENCE.docUploaded byDilawarKhan
- FRAMEWORK FOR WIRELESS NETWORK SECURITY USING QUANTUM CRYPTOGRAPHYUploaded byAIRCC - IJCNC
- o 0211122128Uploaded byAJER JOURNAL
- Vijjay Kumar d Ver 1.1Uploaded byMahin Syed
- Survey on Scalable load balancing and Data security in Cloud IaaS serversUploaded byShruti
- Security- lecture 01Uploaded byRofaelEmil
- Network Security Using Image Processing (1)Uploaded bynanokhan
- Encryption Of Data Using Elliptic Curve Over Finite FieldsUploaded byijdps
- Crytology_Arabs_Submit_finalUploaded byIffah Che Omar
- SigncryptionUploaded byarjun c chandrathil
- Church of Wifi WPA-PSK Rainbow TablesUploaded byulyses62
- Encrypted Sms in Health CareUploaded byEnteronetime Time
- Topic 6 Online SecurityUploaded byTamil Arasu
- Security Challenges, Issues and TheirUploaded byAIRCC - IJNSA
- Proposed Generalization, Suppression, Heuristic, Encryption Privacy Protection Module to Access Sensitive Information in Relational Database (Review Paper)Uploaded byIJASRET
- Fortigate Sslvpn 40 Mr2Uploaded bykamal
- tijun10Uploaded byCesar De Jesus Osorio Ortiz
- redacted cryptography term paperUploaded byapi-271897349
- BeepBeep Embedded Real Time EncryptionUploaded byjohnroberts32
- 12.589245Uploaded byCharifa Hanin
- AbstractUploaded byvinoth1128
- D-47-458-468.pdfUploaded bylambanaveen