Cryptography and Voting

Cryptography and Voting Ben Adida Harvard University EVT & WOTE August 11th, 2009 Montreal, Canada

“If you think cryptography is the solution to your problem.... 2

... then you don’t understand cryptography... 3

... then you don’t understand cryptography... ... and you don’t understand your problem.” -Peter, Butler, Bruce 3

Yet, cryptography solves problems that initially appear to be impossible. 4

There is a potential paradigm shift. A means of election veriﬁcation far more powerful than other methods. 5

Three Points 1. Voting is a unique trust problem. 2. Cryptography is not just about secrets, it creates trust between competitors, it democratizes the auditing process. 3. Open-Audit Voting is closing in on practicality. 6

1. Voting is a unique trust problem. 7

“Swing Vote” terrible movie. hilarious ending. 8

Wooten got the news from his wife, Roxanne, who went to City Hall on Wednesday to see the election results. "She saw my name with zero votes by it. She came home and asked me if I had voted for myself or not." 9

10

11

Bad Analogies Dan Wallach’s great rump session talk. More than that ATMs and planes are vulnerable (they are, but that’s not the point) It’s that voting is much harder. 12

Bad Analogies Adversaries ➡ pilots vs. passengers (airline is on your side, I think.) ➡ banking privacy is only voluntary: you are not the enemy. Failure Detection & Recover ➡ plane crashes & statements vs. 2% election fraud ➡ Full banking receipts vs. destroying election evidence Imagine ➡ a bank where you never get a receipt. ➡ an airline where the pilot is working against you. 13

Ballot secrecy conﬂicts with auditing, cryptography can reconcile them. 14

http://www.cs.uiowa.edu/~jones/voting/pictures/ 15

16

/* 1 * source * code */ if (... Vendor 16

/* 1 * source * code Voting 2 */ Machine if (... Vendor 16

/* 1 * source * code Polling Voting */ 3 2 Location Machine if (... Vendor 16

/* 1 * source * code Polling Voting */ 3 2 Location Machine if (... Vendor 4 Alice 16

/* 1 * source * code Polling Voting */ 3 2 Location Machine if (... Vendor 4 Alice 5 Ballot Box Collection 16

/* 1 * source * code Polling Voting */ 3 2 Location Machine if (... Vendor 4 Alice Results 5 6 ..... Ballot Box Collection 16

/* 1 * source * code Polling Voting */ 3 2 Location Machine if (... Vendor 4 Alice Results 5 6 ..... Ballot Box Collection Black Box 16

Chain of Custody

Initially, cryptographers re-created physical processes in the digital arena. 18

Then, a realization: cryptography enables a new voting paradigm Secrecy + Auditability. 19

20

Public Ballots Bulletin Board Bob: McCain Carol: Obama 21

Public Ballots Bulletin Board Bob: McCain Carol: Obama Alice 21

Public Ballots Bulletin Board Alice: Bob: Obama McCain Carol: Obama Alice 21

Public Ballots Bulletin Board Alice: Bob: Obama McCain Carol: Obama Tally Obama....2 McCain.... Alice 1 21

Encrypted Public Ballots Bulletin Board Alice: Bob: Rice Clinton Carol: Rice Tally Obama....2 McCain.... Alice 1 22

Encrypted Public Ballots Bulletin Board Alice: Bob: Rice Clinton Carol: Ali Rice ce ver Tally iﬁes he rv Obama....2 ote McCain.... Alice 1 22

Encrypted Public Ballots Bulletin Board Alice: Bob: Rice Clinton Carol: Ali ce Rice ta lly e hTally ver iﬁ iﬁe st es he ne ver rv ve ryo Obama....2 ote E McCain.... Alice 1 22

End-to-End Veriﬁcation

End-to-End Veriﬁcation /* * source * code Voting */ Machine if (... Vendor Polling Location

End-to-End Veriﬁcation /* * source * code Voting */ Machine if (... Vendor Ballot Box / Polling Bulletin Board Location Alice

End-to-End Veriﬁcation /* * source * code Voting */ Machine if (... Vendor Ballot Box / Results Polling Bulletin Board Location ..... Alice

End-to-End Veriﬁcation /* * source * code Voting */ Machine if (... Vendor Ballot Box / Results Polling Bulletin Board Location ..... 1 Alice Receipt

End-to-End Veriﬁcation /* * source * code Voting */ Machine if (... Vendor Ballot Box / Results Polling Bulletin Board Location ..... 1 2 Alice Receipt

Democratizing Audits Each voter is responsible for checking their receipt (no one else can.) Anyone, a voter or a public org, can audit the tally and verify the list of cast ballots. Thus, OPEN-AUDIT Voting. 24

2. Cryptography is not just about secrets, creates trust between competitors. 25

NO! Increased transparency when some data must remain secret. 26

So, yes, we encrypt, and then we operate on the encrypted data in public, so everyone can see. In particular, because the vote is encrypted, it can remain labeled with voter’s name. 27

“Randomized” Encryption 28

“Randomized” Encryption Keypair consists of a public key pk and a secret key sk . 28

“Randomized” Encryption Keypair consists of a public key pk and a secret key sk . "Obama" Enc pk 8b5637 28

“Randomized” Encryption Keypair consists of a public key pk and a secret key sk . "Obama" Enc pk 8b5637 "McCain" Enc pk c5de34 28

“Randomized” Encryption Keypair consists of a public key pk and a secret key sk . "Obama" Enc pk 8b5637 "McCain" Enc pk c5de34 "Obama" Enc pk a4b395 28

Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. 8b5637 29

Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk1 b739cb 8b5637 29

Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk1 b739cb Dec sk2 261ad7 8b5637 29

Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk1 b739cb Dec sk2 261ad7 8b5637 Dec sk3 7231bc 29

Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk1 b739cb Dec sk2 261ad7 8b5637 Dec sk3 7231bc Dec sk4 8239ba 29

Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk1 b739cb Dec sk2 261ad7 8b5637 "Obama" Dec sk3 7231bc Dec sk4 8239ba 29

Homomorphic Encryption 30

Homomorphic Encryption Enc(m1 ) × Enc(m2 ) = Enc(m1 + m2 ) 30

Homomorphic Encryption Enc(m1 ) × Enc(m2 ) = Enc(m1 + m2 ) g m1 ×g m2 = g m 1 +m 2 30

Homomorphic Encryption Enc(m1 ) × Enc(m2 ) = Enc(m1 + m2 ) g m1 ×g m2 = g m 1 +m 2 then we can simply add “under cover” of encryption! 30

Mixnets c = Encpk1 (Encpk2 (Encpk3 (m))) Each mix server “unwraps” a layer of this encryption onion. 31

Proving certain details while keeping others secret. Proving a ciphertext encodes a given message without revealing its random factor. 32

Zero-Knowledge Proof 33

Zero-Knowledge Proof President: President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse Vote For: Mickey Mouse Obama Vote For: Obama 33

Zero-Knowledge Proof President: President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse Vote For: Mickey Mouse Obama Vote For: Obama This last envelope likely contains “Obama” 33

Zero-Knowledge Proof President: President: President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse Vote For: Mickey Mouse Vote For: Mickey Mouse Obama McCain Paul Open envelopes don’t prove anything after the fact. 34

Electronic Experience Voter interacts with a voting machine Voting Machine Alice Obtains a freshly printed receipt that displays the encrypted ballot Encrypted Vote Takes the receipt home and uses it as a tracking number. Receipts posted for public tally. 35

Paper Experience David Adam Bob Charlie David _______ Adam _______ Bob _______ Pre-print paper ballots with some indirection betw candidate and choice Charlie _______ _______ 8c3sw _______ _______ _______ 8c3sw Break the indirection (tear, detach) Adam - x 8c3sw for effective encryption Bob - q Charlie - r David - m Take receipt home and use it Adam - x Bob - q 8c3sw as tracking number. Charlie - r q q David - m r r m m x x 8c3sw Receipts posted for public tally. q r m x 36

3. Cryptography-based Voting (Open-Audit Voting) is closing in on practicality. 37

Benaloh Casting 38

Benaloh Casting Alice 38

Benaloh Casting "Obama" Alice 38

Benaloh Casting "Obama" Encrypted Ballot Alice 38

Benaloh Casting "Obama" Encrypted Ballot Alice Alice 38

Benaloh Casting "Obama" Encrypted Ballot Alice "AUDIT" Alice 38

Benaloh Casting "Obama" Encrypted Ballot Alice "AUDIT" Decrypted Ballot Alice 38

Benaloh Casting "Obama" Encrypted Ballot Alice "AUDIT" Decrypted Ballot Alice Encrypted Decrypted Ballot Ballot VERIFICATION 38

Benaloh Casting "Obama" Encrypted Ballot Alice "AUDIT" Decrypted Ballot Alice Alice Encrypted Decrypted Ballot Ballot VERIFICATION 38

Benaloh Casting "Obama" Encrypted Ballot Alice "AUDIT" "CAST" Decrypted Ballot Alice Alice Encrypted Decrypted Ballot Ballot VERIFICATION 38

Benaloh Casting "Obama" Encrypted Ballot Alice "AUDIT" "CAST" Decrypted Signed Ballot Encrypted Ballot Alice Alice Encrypted Decrypted Ballot Ballot VERIFICATION 38

Benaloh Casting "Obama" Encrypted Ballot Alice "AUDIT" "CAST" Decrypted Signed Ballot Encrypted Ballot Alice Alice Encrypted Decrypted Ballot Ballot VERIFICATION Alice 38

Benaloh Casting "Obama" Encrypted Ballot Alice "AUDIT" "CAST" Decrypted Signed Ballot Encrypted Ballot Alice Alice Encrypted Decrypted Ballot Ballot Signed Encrypted Ballot VERIFICATION Alice 38

Many more great ideas Neff ’s MarkPledge ➡ high-assurance, human-veriﬁable, proofs of correct encryption Scantegrity ➡ closely mirrors opscan voting ThreeBallot by Rivest ➡ teaching the concept of open-audit without deep crypto STV: Ramchen, Teague, Benaloh & Moran. ➡ handling complex election styles Prêt-à-Voter by Ryan et al. ➡ elegant, simple, paper-based 39

Deployments! UCL (25,000 voters) Scantegrity @ Takoma Park SCV 40

Three Points 1. Voting is a unique trust problem. 2. Cryptography is not just about secrets, it creates trust between competitors, it democratizes the auditing process. 3. Open-Audit Voting is closing in on practicality. 41

My Fear: computerization of voting is inevitable. without open-audit, the situation is grim. 42

My Hope: proofs for auditing partially-secret processes will soon be as common as public- key crypto is now. 43

Challenge: Ed Felten: “you have no voter privacy, deal with it.” 44

Questions? 45

Cryptography and Voting

0 comments

Notes on slide 1

Favorites, Groups & Events