PyCon India 2012 Opening Keynote David MertzWhat shall I talk about today? The first part of this talk is largely administrative – letting this audience know a bit about the Python Software Foundation, its mission, and accomplishments. The larger, latter, section of this talk shall delve into a technical topic that I find interesting: making a secure, anonymous, and verifiable voting system (in Python).
PyCon India 2012 David MertzWho am I? A Director of the Python Software Foundation (one of eleven). Chair of PSF Trademarks Committee. Chair of PSF Outreach and Education Committee. Creator of the election system used by the PSF (segue coming to topic of the main talk).
PyCon India 2012 David Mertz More about me: I used to be well known as author of the IBM developerWorks column Charming Python and Addison-Wesley book Text Processing in Python. Now I work at a research lab called D. E. Shaw Research who have built the worlds fastest supercomputer for doing molecular dynamics. My academic publications include a number in voting technologies (segue coming). Plus a doctorate in Political Philosophy along the way.DESRES has an office in Hyderabad, and we are hiring!
PyCon India 2012 David Mertz The Python Software Foundation (PSF) is a non- profit membership organization devoted to advancing open source technology related to the Python programming language. It qualifies under the US Internal Revenue Code as a tax-exempt 501(c)(3) scientific and educational public charity, and conducts its business according to the rules for such organizations. http://www.python.org/psf/ http://www.python.org/psf/mission/Lets start dry and factual
PyCon India 2012 David MertzThe mission of the Python Software Foundationis to promote, protect, and advance the Pythonprogramming language, and to support andfacilitate the growth of a diverse andinternational community of Pythonprogrammers.The PSF is composed of a membership elected byprior members, who in turn elect a Board ofDirectors to conduct the daily business of theFoundation.
PyCon India 2012 David Mertz PSF Finances PyCon US 2012 Revenue: US$1395K (~75M Rs) Profit: US$277K st Balances (as of May 31 2012) Total equity: US$700K (~38M Rs) Receivables: US$121K Payables: US$27K Net income: US$309KThe biggest PSF revenue source, by far, is PyCon US
PyCon India 2012 David MertzThings the PSF Does: Protects the Intellectual Property in Python (trademarks and copyrights). Funds conferences & sprints (including a contribution to PyCon India 2012). Funds Python related projects (targeted development; filling gaps in module coverage; education and outreach efforts, etc). Runs PSF projects (brochure; website redesign; speed.python.org; sprints; awards; etc).
PyCon India 2012 David Mertz Things the PSF Does Hereby: We are honored to grant the Python Software Foundation Community Service Award to Kenneth Gonsalves, posthumously. The Indian Python Software Society is establishing a Kenneth Gonsalves Memorial Award to be given to Python students. The PSF is likewise pleased to provide seed funding of US$3500 (~190K Rs) to IPSS for this award.Certificate for family of Kenneth Gonsalves, if they are available
PyCon India 2012 A verifiable election system David MertzSegue time: The rest of this talk is about voting systems. It doesnt have anything to do with the PSF per se, although the PSF has used the described method. This talk doesnt really have much to do with Python either. The systems presented and implemented were written in Python, but you could do it in a different programming language. ... for that matter, you could do most of it with pencils and paper.
PyCon India 2012 A verifiable election system David MertzFrom time to time, the PSF conducts elections toelect members, a Board of Directors, and to passmotions of the membership.There is a key property that we can rely on, thatmakes it possible to provide some interesting(theoretical) guarantees for these elections.Namely, the identity – and email address – ofevery eligible voter is known in advance andcentrally maintained.
PyCon India 2012 A verifiable election system David MertzWhat I do NOT advocate: I hasten to observe that I do not support using a system like the one I describe for public/ governmental elections. It is outside the scope of this talk fully to explain why, but the constraints and properties public elections need cannot be fit into the model given in this talk without compromising principles of democracy.
PyCon India 2012 A verifiable election system David Mertz What can we (almost) guarantee? (part 1) 1. An election should be anonymous. No one should be able to determine how any voter voted (other than a voter herself). Our system allows a notable weakening of this condition by allowing a single, trusted Election Administrator who can puncture anonymity. This person is, therefore, required to be a disinterested party. This weakening is much of why our approach does not work for public elections – no one can be trusted to be sufficiently disinterested.(continued ...)
PyCon India 2012 A verifiable election system David Mertz What can we (almost) guarantee? (part 2) 2. An election should be collectively verifiable. That is, every observer should be able to determine that the tabulation is accurate, and that no ineligible votes are included. Moreover, each individual voter should be able to determine that her own vote (or non-vote) is accurately included in the collection of ballots.(continued ...)
PyCon India 2012 A verifiable election system David MertzWhat can we (almost) guarantee? (part 3) 3. An election should be secure against tampering. No malicious action by any voter should be able to alter an election. Ideally, no malicious action by an outside hacker should be able to change anything either. A crucial element here is that even the Election Administrator cannot tamper with an election in a way that is not detectable by observers and/or eligible voters.
PyCon India 2012 A verifiable election system David Mertz Things we do not guarantee: The system described makes no effort to prevent vote buying/coercion. For PSF elections we assume that voters act free of undue influence. The identity of eligible voters is a matter of public record; again, this fits the PSF membership model (but the count of voters would suffice). In the event of a challenge to results or to the conduct of an election, a challenger would need to abandon anonymity, at least to auditors.(All reasons why this doesnt match public elections)
PyCon India 2012 A verifiable election system David MertzThe simplicity of how it works: The basic concept is that each voter is assigned a random ballot-id associated with her ballot, and the mapping from eligible voters is known only to the Election Administrator. When an election is completed, the set of cast ballots – each identified only by ballot-id – is published. The code actually used in the last PSF election is at: http://gnosis.cx/psf/
PyCon India 2012 A verifiable election system David Mertz Suppose that we have a list of eligible voters, e.g.: Anand Chittipothu, email@example.com Massimo DiPierro, firstname.lastname@example.org Jacob Kaplan-Moss, email@example.com David Mertz, firstname.lastname@example.org Anand Pillai, email@example.com Vasudev Ram, firstname.lastname@example.org Prabhu Ramachandran, email@example.com Guido van Rossum, firstname.lastname@example.org We know the identity of all the voters, and that they number 8 total (the second fact can be inferred from the first, of course).(These happen to be PSF members either mentioned or likely in audience)
PyCon India 2012 A verifiable election system David Mertz Generating ballot-ids is a very simple script: #!/usr/bin/env python3 from random import randint, choice from string import ascii_uppercase as uppercase from time import asctime, strftime out=open(Ballot-Map-+strftime(%Y-%m-%d),w) for person in open(Address_List.members): ballotID = choice(uppercase)+ choice(uppercase)+ "%0.3d" % randint(0,1000) print(ballotID,"t",person, file=out)(Finally some Python code!)
PyCon India 2012 A verifiable election system David MertzWe have produced an annotated list of eligiblevoters with random ballot-ids. Remember, thismapping is maintained confidentially by theElection Administrator and given to no one else: QG996 Anand Chittipothu, email@example.com VW195 Massimo DiPierro, firstname.lastname@example.org VE237 Jacob Kaplan-Moss, email@example.com TQ084 David Mertz, firstname.lastname@example.org IN792 Anand Pillai, email@example.com SW003 Vasudev Ram, firstname.lastname@example.org ZG441 Prabhu Ramachandran, email@example.com XD724 Guido van Rossum, firstname.lastname@example.org
PyCon India 2012 A verifiable election system David Mertz Another script, send-ballot-ids, was used to process the generated file, e.g. Ballot-Map-2012-09-19, and send ballots to voters; another step that may not be obvious is important to prevent tampering. Remember our concern to prevent tampering, even by the Election Administrator? To address this, the administrator commits to the exact set of ballot-ids used, but doesnt actually reveal what they are. E.g. she can publish this: % cut -c-5 Ballot-Map-2012-09-26 | sort | shasum b7f1ada5057273482db97eafecf4476c5b3fb6c7 -(The sort in there is no accident)
PyCon India 2012 A verifiable election system David MertzThis “commitment” to ballot-ids is nuanced. Thefull set of (purported) ballot-ids is published at theend of the election (along with the full ballots).If the Election Administrator hadnot published this “commitment,”she could stuff the ballot at the endwith newly invented ballot-idshaving the votes she desired.With the commitment, eligible voters – who eitherdo or do not cast a ballot – can verify their voteagainst the eventually published archive of ballots,leaving no room for stuffed ballots.
PyCon India 2012 A verifiable election system David MertzThe Election Administrator sends a personalizedballot to each eligible voter that incorporates avoters ballot-id. Within the voting period, some or all of the eligible voters vote by sending back their ballot (with ballot-id) to the Election Administrator (more is better, but we cannot mandate 100% participation by PSF members).
PyCon India 2012 A verifiable election system David MertzEmail is a likely way to handle sending andreceiving personalized ballots, but it could bephysical papers or other internet protocols withoutaffecting the guarantees.The system described does notaddress message-level ortransport-level security. Itwould be nice if every voterinstalled GPG and published apublic key, but we could notcount on that within the PSF.
PyCon India 2012 A verifiable election system David MertzNote that the voting procedure and publication isneutral as to the tabulation and voting rules used.Ballots are just documents, and whether anorganization wants “first pass the post” or “rankedpreference” voting – and similar tabulation choices– is open within this framework.
PyCon India 2012 A verifiable election system David MertzCollective Verification: Every actual voter can verify that the ballot matching their ballot-id contains the votes they intended. Every eligible but non-voter can also verify that their ballot-id is excluded from the published archive. Every observer can verify that the ballot archive contains a subset of the committed ballot-ids. Every observer can check the tabulation of the ballot archive independently.
PyCon India 2012 A verifiable election system David MertzThe last several PSF elections were conducted usingthe method described. Following the most recentelection, some voters expressed a preference forusing a web interface rather than sending text filesover email.My colleague Massimo DiPierro developed such aweb interface with my assistance. His code is ongithub and a live test version of it is at web2py. ● https://github.com/mdipierro/evote/ ● http://tests.web2py.com/evote ●
PyCon India 2012 A verifiable election system David MertzMassimos E-Vote uses the same general principlesas the system I have described thus far, but allowscreation of elections and casting votes purely withinweb interfaces.The code to implement E-Vote requires scaffoldingfor an MVC web framework, and therefore usesmore code than the <100 lines in the PSF system (ofwhich <50 lines are essential), but E-Vote is stillquite compact and simple.E-Vote is a bit more automated than the PSFsystem, but it also offers slightly improvedguarantees.
PyCon India 2012 A verifiable election system David MertzAnyone may create an election at the demo URL forE-Vote; sign-in uses OpenID. An administratorcreates a ballot using a markup format and entersthe email addresses of all eligible voters.Voters are each sent a custom link incorporating aUUID associated with their individual ballot: To: email@example.com Subject: Simple Election Date: Fri, 21 Sep 2012 16:12:21 +0000 Link to vote: https://tests.web2py.com/evote/default/vote/21/ voter-B110C66787DC459BA72BA74D422684FE
PyCon India 2012 A verifiable election system David MertzAfter voting at the prior link:
PyCon India 2012 A verifiable election system David MertzWhile these ballots use ballot-ids, as with theprevious code, in E-Vote the mapping between theUUID/URL for voting and the stored ballot-id is notretained after the URL is used. What a ballot-id stilldoes, however, is make each ballot unique, even if itcontains the same vote(s) as another ballot.Discarding the UUID/ballot-id association obscuresvoter identity. While a malicious ElectionAdministrator who controlled the code could stillcovertly store the mapping, if a trusted third partyhosts the code, the Election Administrator cannotaccess that mapping.
PyCon India 2012 A verifiable election system David MertzThe most interesting thing on a completed E-voteballot is probably its signature. This is generatedusing RSA public-key cryptography: # Pure-Python RSA module: http://stuvel.eu/rsa import rsa, base64 def sign(text, privk_pem): privkey = rsa.PrivateKey.load_pkcs1(privk_pem) signature = base64.b16encode( rsa.sign(text,privkey,SHA-1)) return signature
PyCon India 2012 A verifiable election system David Mertz The public key that may be used to verify a signature is published. In fact, it is contained in the “Ballot Verification Code” link on the ballot: % cat ballot-verification.py # This program allows you to verify your ballot # using the RSA algorithm. import base64, rsa # this is the ballot to verify ballot = """<h2>Simple Election</h2> <input checked="checked" value="1"/>yes <input value="2"/>no <input value="3"/>abstain <pre>ballot-21-000001</pre> """.strip()(continued...)
PyCon India 2012 A verifiable election system David MertzContinuing the verification code... # this is the ballot RSA signature signature = base64.b16decode("5E5CD5...2330B4") # this is the election public key pk_pem = """-----BEGIN RSA PUBLIC KEY----- MIGJAoGBAIlKHjsPqghsAvQhqGY8DZxoGIyRUkk6OlEhJUoDqCmF2rpeR9u4u3z+ MMNaWIO4iVsPQnO1JFYJr5Zim1TokLyvz+1HglYRlwW9yLMZjz/tUOFhTPu8zvq4 dHBXF47rIS5Cv4ravS5sB0zG7fQN6znWrHOO961yJSiL1KWtL/jfAgMBAAE= -----END RSA PUBLIC KEY----- """ # this is the code that verifies the signature public_key = rsa.PublicKey.load_pkcs1(pk_pem) if rsa.verify(ballot,signature,public_key)==None: print valid else: print invalid
PyCon India 2012 A verifiable election system David MertzPutting a signature on each ballot “commits” theElection Admin (who is code, really) more stronglythan did the commitment of the ballot-id list.A voter can save her signed ballot (and/or theverification script above) which prevents theElection Administrator from being able to denyreceiving the ballot. Only the election private-keycould have signed the ballot, and only the ElectionAdministrator (via the software) has that key.This model doesnt work in email, since it is acompleted ballot that gets signed, not the blank.
PyCon India 2012 A verifiable election system David MertzEach voter can make sure her own ballot isincluded, as before. As well, every observer canindependently verify the signatures on each ballot.E-Vote handles non-voters by generating a “blank”ballot for each eligible voter who did not participate,and sends them a notice that is similar to thatreceived by voters when they vote.
PyCon India 2012 A verifiable election system David Mertz A picture of my cat: Every technical talk needs a cute kitten, right?(Python pose?)
PyCon India 2012 A verifiable election system David MertzWrap-up / Questions? ● This talk describe two variations on a voting system that enforces properties of Anonymity, Collective Verifiability, and Security Against Tampering. ● There are other properties that one might hope for, but these strike me as more-or-less the right ones for an online, explicit-membership organization like the PSF. ● If we have time, Id love feedback on my ideas (or catch me in the hallways).