Socio-Technical Trade-Offs in Cryptographic Voting Schemes: Peter Y A Ryan University of Newcastle

NeSC Edinburgh
27 Feb 2006
P Y A Ryan
Socio-technical trade-offs in Voting Schemes
1

Socio-technical Trade-offs in
Cryptographic Voting Schemes
Peter Y A Ryan
University of Newcastle
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
2

Introduction
Designing dependable, trustworthy e-voting systems is
vastly challenging:
Want high-assurance of accuracy whilst maintaining ballot
secrecy.
Minimal trust in components, officials, suppliers etc.
Ideally, trust should ultimately rest on the electorate themselves.
Must be useable and understandable by the electorate at large.
Probably impossible to achieve all of these
simultaneously, hence trade-offs need to be investigated
and evaluated.
Tension between making the system as simple as
possible for voters (vote and go) on the one hand and
ensuring that trust rests ultimately on the voters.
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
3

Outline
Overview of Prt Voter Classic.
Outline of some vulnerabilities with Prt
Voter Classic.
Enhancements to counter these
vulnerabilities.
Trade-offs.
Conclusions.

NeSC Edinburgh
27 Feb 2006
P Y A Ryan
4

Typical Prt Voter Classic Ballot
Sheet
Epicurus
Democritus
Aristotle
Socrates
Plato
$rJ9*mn4R&8
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
5

Voter marks their choice
Epicurus
Democritus

Aristotle
Socrates
Plato
$rJ9*mn4R&8
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
6

Voters Ballot Receipt

$rJ9*mn4R&8
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
7

Remarks
Order of candidates is randomised for each ballot form,
hence the receipt reveals nothing about the vote.
Vote is not directly encrypted, rather the frame of
reference, i.e., the candidate list, is randomised and
information defining the frame is encrypted.
Voter does not need to communicate their vote to the
device.
Vote casting (of the receipt) could be in the presence of
an official.
Signatures (digital and physical?) could be applied.
A paper audit trail mechanism could be incorporated
(similar to VVPAT but recording encrypted receipts).
Works for ranked, approval, STV etc.
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
8

Tabulation
All cast receipts are posted to a secure
Web Bulletin Board (WBB). A sort of
virtual sports hall.
A set of tellers now perform an
anonymising mix/decryption on the posted
receipts.
Outputs of each phase of the mix are also
posted to the WBB.
Final column shows decrypted votes.
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
9

What can go wrong
For the accuracy requirement:
Ballot forms may be incorrectly constructed,
leading to incorrect encoding of the vote.
Ballot receipts could be corrupted before they
are entered in the tabulation process.
Tellers may perform the mix/decryption
incorrectly.
In this talk I will concentrate on the first of
these.
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
10

Auditing ballot forms
Authority generates and prints a large number of ballot
forms.
Random audits before, during and after the election
period by independent authorities (and possibly the
voters themselves).
To check the construction of the ballot forms the values
on the form, onion and candidate ordering, can be
reconstructed if the seed value is revealed.
Use the tellers in an on-demand mode to reveal the
secret seed value buried in the onion. Avoids problems
with storing and selectively revealing seeds.
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
11

Advantages of Prt Voter
Voter experience simple and familiar.
No need for voters to have personal keys or computing
devices.
Ballot form commitments and checks made before
election opens neater recovery strategies.
Votes are not directly encrypted, just the frame of
reference in which votes encoded. Hence:
The vote recording device doesnt get to learn the vote.
No need for ZK proofs of correctly formed encrypted receipts or
cut-and-choose protocols. (but onus of proof shifts to the well-
formedness of the ballot forms).
Avoids subliminal channels, side channels and social
engineering attacks.
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
12

Vulnerabilities
Need to trust The Authority (for secrecy).
Need to trust the auditors (absence of collusion).
Need to protect ballot form information (chain of
custody).
Chain voting.
Enforcing the destruction of LH strips.
Need to constrain the WBB audits, i.e., reveal
only L or R links.
Separation of teller modes, i.e., ensure that each
ballot form is processed only once.
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
13

Distributed creation of ballot forms
We would like to set things up so only the voters
gets to see the onion/candidate list association.
No single entity knows or controls the entropy.
On-demand printing of ballot forms.
This can be achieved with a pre-mix that
mirrors the tabulation mixes of PV Classic.
Mixing is done under an extra layer of encryption
that can be stripped off at the last moment.
Can be adapted for remote variants.
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
14

Distributed generation of (ElGamal)
onions
An initial clerk generates a set of pairs of onions. Each
pair has the same initial plaintext seed s:
((
x
,
R
x
.s), (
y
,
T

y
.s))
These pairs are put through a set of re-encryption
anonymising mixes:
((
x
,
R
x
.s), (
y
,
T

y
. s))
i.e. a re-encryption and injection of fresh entropy to the
seed value s.
After a number of mixes:
((
x
,
R

x
. s
)), (
y
,
T

y
. s
))
These pairs can now be distributed in this form. The
candidate list is hidden in this form. These could be
randomly audited at this stage.
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
15

Revealing the ballot form
The booth device can then decrypt the LH onion to give
the candidate permutation :
(, (
y
,
T

y
. s
))
Can be adapted to remote versions (use the Cornell
protocol to convert the LH onion to be encrypted under
the voter V
i
s PK.
((
x
,
Vi

x
. s
)), (
y
,
T

y
. s
))
A similar construction is possible original RSA onions.
ElGamal construction is suitable for re-encryption mixes
during the tabulation/anonymising mix.
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
16

On-demand printing
We can minimise chain voting and chain of
custody problems by arranging the print ballot
forms at the last moment, i.e., in the booth.
Note subtle distinction between creating and
printing.
Use fresh, additional sources of entropy, e.g.,
fibres in the paper, the voters themselves etc.
The problem now is that we cant pre-audit pre-
committed forms.
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
17

Post-auditing
A possible solution is to re-introduce cut-
and-choose element to the protocol along
with post-auditing.
Note: Chaums original scheme suggested
devices available at the polling station to
check receipts. Probably retain this, in
particular to check digital signatures and to
spot problems early, but additionally
perform checks on WBB posted data.
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
18

2 sided ballot forms
Thales
Plato
Socrates
7y6G
&9j5
Plato
Thales
Socrates
H56
$Mz
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
19

Vote selection
Forms can be printed in the booth.
Voter makes an arbitrary choice as to
which side to use.
They mark their cross (or ranking etc)
against the candidate of choice as before.
The other side is left blank.

NeSC Edinburgh
27 Feb 2006
P Y A Ryan
20

Vote selection
Thales
Plato X
Socrates
7y6G
&9j5
Plato
Thales
Socrates
H56
$Mz
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
21

Receipts
X
7y6G
&9j5
Plato
Thales
Socrates
H56
$Mz
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
22

Discussion
The unused side can now be checked for well-
formedness (at the time of casting and later in the WBB).
This avoids some of the vulnerabilities of PaV Classic
but at the cost of re-introducing the social engineering
Chaum/Neff vulnerabilities noted by Karlof et al.
Note: still no need for the voter to communicate their
vote to the device, hence no subliminal/side channels
etc.
Also counters klepographic attacks.
Note: symmetry between the two sides!
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
23

Post-auditing
Receipts could be checked again on exit
from the polling stations.
In addition, all the info would be posted to
the WBB. The slip, unused side could be
checked for well-formedness.
Seeds revealed for the unused sides.
Need mechanisms to prevent leakage of
seeds for used sides, e.g., authorisation
code on LHS?
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
24

Discussion
This solution avoids a lot of the
vulnerabilities of Classic, e.g., no need to
trust the auditing authorities, but makes
the protocol a little more complex for the
voter. And may re-introduce the possibility
of social-engineering attacks.
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
25

assisting the voter
We could envisage a device to help the
voter mark the form and destroy the LHS.
But then we need to trust this to cheat in
some, e.g., scanning the candidate list
before destruction.

NeSC Edinburgh
27 Feb 2006
P Y A Ryan
26

Conclusion
Ideally we would like the trust to rest
ultimately with the electorate.
This seems to be impossible without
involving the voters in the verification
process.
Compromisers and trade-offs are
inevitable.
Verify the election not the system.
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
36

Future work
On the current model:
Determine exact requirements.
Formal analysis and proofs.
Construct threat and trust models.
Investigate error handling and recovery strategies.
Develop a full, socio-technical systems analysis.
Develop prototypes and run trials, e.g., e-voting
games!
Investigate public understanding, acceptance and
trust.
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
37

Future work
Beyond the current scheme:
Finalise remote, coercion resistant version
(using capabilities).
Re-encryption mixes.
Establish minimal assumptions.
Alternative sources of seed entropy: Voters,
optical fibres in the paper, quantum?
Alternative robust mixes, e.g., ZK shuffle
proofs.
Quantum variants.
NeSC Edinburgh
27 Feb 2006
P Y A Ryan
38

References
David Chaum, Secret-Ballot receipts: True Voter-Verifiable Elections, IEEE Security and Privacy
Journal, 2(1): 38-47, Jan/Feb 2004.
J W Bryans & P Y A Ryan A Dependability Analysis of the Chaum Voting Scheme, Newcastle
Tech Report CS-TR-809, 2003.
J W Bryans & P Y A Ryan, Security and Trust in a Voter-verifiable Election Scheme, FAST 2003.
P Y A Ryan & J W Bryans A Simplified Version of the Chaum Voting Scheme, Newcastle TR
2004
P Y A Ryan, Towards a Dependability Case for the Chaum Voting Scheme, DIMACS June 2004.
P Y A Ryan, E-voting, presentation to the Caltech/MIT workshop on voting technology, MIT
Boston 1-2 October 2004.
P Y A Ryan, A Variant of the Chaum Voter-verifiable Election scheme, WITS, 10-11 January
2005 Long Beach Ca.
D Chaum, P Y A Ryan, S A Schneider, A Practical, Voter-Verifiable Election Scheme, Newcastle
TR 880 December 2004, Proceedings ESORICS 2005, LNCS 3679.
B Randell, P Y A Ryan, Trust and Voting Technology, NCL CS Tech Report 911, June 2005, to
appear IEEE Security and Privacy Magazine.
P Y A Ryan, T Peacock, Prt Voter, A Systems Perspective, NCL CS Tech Report 929,
September 2005, submitted to IEEE Security and Privacy Symposium 2006.
Clarkson and Myers, Coercion-resistant Remote Voting using Decryption Mixes, at FEE 2005.
http://www.win.tue.nl/~berry/fee2005/

Socio-Technical Trade-Offs in Cryptographic Voting Schemes: Peter Y A Ryan University of Newcastle

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Socio-Technical Trade-Offs in Cryptographic Voting Schemes: Peter Y A Ryan University of Newcastle

Uploaded by

Copyright:

Available Formats

NeSC Edinburgh

You might also like