0
Cryptography
 and Voting
     Ben Adida
   Harvard University

    EVT & WOTE
   August 11th, 2009
   Montreal, Canada
“If you think
   cryptography
  is the solution
to your problem....

         2
... then you
don’t understand
 cryptography...




       3
... then you
don’t understand
 cryptography...
... and you don’t
understand your
     problem.”
  -Peter, Butler, Bruce
  ...
Yet, cryptography solves
 problems that initially
appear to be impossible.

           4
There is a
potential paradigm shift.

       A means of
  election verification
   far more powerful
 than other methods.
 ...
Three Points
1. Voting is a unique trust problem.
2. Cryptography is not just about secrets,
   it creates trust between c...
1.
Voting is a unique
 trust problem.


        7
“Swing Vote”

terrible movie.
hilarious ending.

        8
Wooten got the news from his wife, Roxanne,
  who went to City Hall on Wednesday
        to see the election results.

  "...
10
11
Bad Analogies

Dan Wallach’s great rump session talk.
More than that
ATMs and planes are vulnerable
(they are, but that’s ...
Bad Analogies
Adversaries
➡ pilots vs. passengers (airline is on your side, I think.)
➡ banking privacy is only voluntary:...
Ballot secrecy
conflicts with auditing,
    cryptography
 can reconcile them.


           14
http://www.cs.uiowa.edu/~jones/voting/pictures/   15
16
/*          1
      * source
      * code
      */

     if (...

                     Vendor




16
/*          1
               * source
               * code
 Voting   2    */
Machine
              if (...

             ...
/*          1
                              * source
                              * code
 Polling        Voting        */...
/*          1
                                  * source
                                  * code
     Polling        Voti...
/*          1
                                  * source
                                  * code
     Polling        Voti...
/*          1
                                                    * source
                                               ...
/*          1
                                                    * source
                                               ...
/*          1
                                                    * source
                                               ...
Chain of Custody
Chain of Custody
Chain of Custody
Chain of Custody
Chain of Custody
Initially,
  cryptographers
     re-created
 physical processes
in the digital arena.

          18
Then, a realization:
cryptography enables a
 new voting paradigm

Secrecy + Auditability.

           19
20
Public Ballots
   Bulletin Board


               Bob:
              McCain

         Carol:
         Obama




         21
Public Ballots
           Bulletin Board


                       Bob:
                      McCain

                 Caro...
Public Ballots
            Bulletin Board

         Alice:         Bob:
         Obama         McCain

                  C...
Public Ballots
            Bulletin Board

         Alice:         Bob:
         Obama         McCain

                  C...
Encrypted Public Ballots
           Bulletin Board

        Alice:         Bob:
         Rice         Clinton

           ...
Encrypted Public Ballots
                        Bulletin Board

                    Alice:          Bob:
                ...
Encrypted Public Ballots
                        Bulletin Board

                    Alice:              Bob:
            ...
End-to-End Verification
End-to-End Verification
                       /*
                        * source
                        * code
         ...
End-to-End Verification
                                  /*
                                   * source
                  ...
End-to-End Verification
                                  /*
                                   * source
                  ...
End-to-End Verification
                                      /*
                                       * source
          ...
End-to-End Verification
                                      /*
                                       * source
          ...
Democratizing Audits
Each voter is responsible for checking
their receipt (no one else can.)
Anyone, a voter or a public o...
2.
   Cryptography is
not just about secrets,
creates trust between
     competitors.

           25
NO!
Increased transparency
   when some data
  must remain secret.
          26
So, yes, we encrypt,
and then we operate on the
encrypted data in public, so
     everyone can see.

In particular, becaus...
“Randomized” Encryption




           28
“Randomized” Encryption
Keypair consists of a public key pk and a secret key sk .




                           28
“Randomized” Encryption
Keypair consists of a public key pk and a secret key sk .

          "Obama"         Enc pk       ...
“Randomized” Encryption
Keypair consists of a public key pk and a secret key sk .

          "Obama"         Enc pk       ...
“Randomized” Encryption
Keypair consists of a public key pk and a secret key sk .

          "Obama"         Enc pk       ...
Threshold Decryption
      Secret key is shared amongst multiple parties:
all (or at least a quorum) need to cooperate to ...
Threshold Decryption
      Secret key is shared amongst multiple parties:
all (or at least a quorum) need to cooperate to ...
Threshold Decryption
      Secret key is shared amongst multiple parties:
all (or at least a quorum) need to cooperate to ...
Threshold Decryption
      Secret key is shared amongst multiple parties:
all (or at least a quorum) need to cooperate to ...
Threshold Decryption
      Secret key is shared amongst multiple parties:
all (or at least a quorum) need to cooperate to ...
Threshold Decryption
      Secret key is shared amongst multiple parties:
all (or at least a quorum) need to cooperate to ...
Homomorphic
 Encryption




     30
Homomorphic
      Encryption
Enc(m1 ) × Enc(m2 ) = Enc(m1 + m2 )




                30
Homomorphic
      Encryption
Enc(m1 ) × Enc(m2 ) = Enc(m1 + m2 )




                30
Homomorphic
      Encryption
Enc(m1 ) × Enc(m2 ) = Enc(m1 + m2 )

      g   m1
               ×g   m2
                    ...
Homomorphic
      Encryption
Enc(m1 ) × Enc(m2 ) = Enc(m1 + m2 )

      g   m1
               ×g   m2
                    ...
Mixnets



c = Encpk1 (Encpk2 (Encpk3 (m)))
          Each mix server “unwraps”
       a layer of this encryption onion.

...
Proving certain details while
   keeping others secret.

   Proving a ciphertext
 encodes a given message
    without reve...
Zero-Knowledge Proof




         33
Zero-Knowledge Proof
                  President:
                    President:
                 Mickey Mouse
           ...
Zero-Knowledge Proof
                                       President:
                                         President:...
Zero-Knowledge Proof
    President:                 President:
      President:
   Mickey Mouse                  President...
Electronic Experience
                                      Voter interacts with a voting
                                ...
Paper Experience
                            David
                            Adam
                                Bob
  ...
3.
Cryptography-based Voting
    (Open-Audit Voting)
is closing in on practicality.


              37
Benaloh Casting




       38
Benaloh Casting
Alice




        38
Benaloh Casting
        "Obama"


Alice




             38
Benaloh Casting
        "Obama"

        Encrypted
          Ballot
Alice




                38
Benaloh Casting
                "Obama"

                Encrypted
                  Ballot
        Alice




Alice




  ...
Benaloh Casting
                     "Obama"

                     Encrypted
                       Ballot
             Al...
Benaloh Casting
                       "Obama"

                       Encrypted
                         Ballot
         ...
Benaloh Casting
                                   "Obama"

                                   Encrypted
                 ...
Benaloh Casting
                                   "Obama"

                                   Encrypted
                 ...
Benaloh Casting
                                   "Obama"

                                   Encrypted
                 ...
Benaloh Casting
                                   "Obama"

                                   Encrypted
                 ...
Benaloh Casting
                                   "Obama"

                                   Encrypted
                 ...
Benaloh Casting
                                   "Obama"

                                   Encrypted
                 ...
Benaloh Casting
                                   "Obama"

                                   Encrypted
                 ...
Benaloh Casting
                                   "Obama"

                                   Encrypted
                 ...
Many more great ideas
Neff ’s MarkPledge
➡   high-assurance, human-verifiable, proofs of correct encryption
Scantegrity
➡  ...
Deployments!

UCL (25,000 voters)
Scantegrity @ Takoma Park
SCV




                 40
Three Points
1. Voting is a unique trust problem.
2. Cryptography is not just about secrets,
   it creates trust between c...
My Fear:
 computerization of
 voting is inevitable.
without open-audit,
the situation is grim.
          42
My Hope:
  proofs for auditing
    partially-secret
processes will soon be
as common as public-
  key crypto is now.
     ...
Challenge:




Ed Felten: “you have no voter privacy, deal with it.”


                          44
Challenge:




Ed Felten: “you have no voter privacy, deal with it.”


                          44
Questions?
    45
Upcoming SlideShare
Loading in...5
×

Cryptography and Voting

2,699

Published on

EVT/WOTE 2009 Invited Talk on Cryptography and Voting for non-cryptographers.

Published in: Technology, News & Politics
1 Comment
3 Likes
Statistics
Notes
  • Hey Ben!

    I remember an earlier version of this talk from 2-3 years ago in Herzlia. Kudos for the CC license!

    I was wandering if you have it on Video somewhere as well? I'd love to pass it around to some people!

    Thanks,
    Ira.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
2,699
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
104
Comments
1
Likes
3
Embeds 0
No embeds

No notes for slide

Transcript of "Cryptography and Voting"

  1. 1. Cryptography and Voting Ben Adida Harvard University EVT & WOTE August 11th, 2009 Montreal, Canada
  2. 2. “If you think cryptography is the solution to your problem.... 2
  3. 3. ... then you don’t understand cryptography... 3
  4. 4. ... then you don’t understand cryptography... ... and you don’t understand your problem.” -Peter, Butler, Bruce 3
  5. 5. Yet, cryptography solves problems that initially appear to be impossible. 4
  6. 6. There is a potential paradigm shift. A means of election verification far more powerful than other methods. 5
  7. 7. Three Points 1. Voting is a unique trust problem. 2. Cryptography is not just about secrets, it creates trust between competitors, it democratizes the auditing process. 3. Open-Audit Voting is closing in on practicality. 6
  8. 8. 1. Voting is a unique trust problem. 7
  9. 9. “Swing Vote” terrible movie. hilarious ending. 8
  10. 10. Wooten got the news from his wife, Roxanne, who went to City Hall on Wednesday to see the election results. "She saw my name with zero votes by it. She came home and asked me if I had voted for myself or not." 9
  11. 11. 10
  12. 12. 11
  13. 13. Bad Analogies Dan Wallach’s great rump session talk. More than that ATMs and planes are vulnerable (they are, but that’s not the point) It’s that voting is much harder. 12
  14. 14. Bad Analogies Adversaries ➡ pilots vs. passengers (airline is on your side, I think.) ➡ banking privacy is only voluntary: you are not the enemy. Failure Detection & Recover ➡ plane crashes & statements vs. 2% election fraud ➡ Full banking receipts vs. destroying election evidence Imagine ➡ a bank where you never get a receipt. ➡ an airline where the pilot is working against you. 13
  15. 15. Ballot secrecy conflicts with auditing, cryptography can reconcile them. 14
  16. 16. http://www.cs.uiowa.edu/~jones/voting/pictures/ 15
  17. 17. 16
  18. 18. /* 1 * source * code */ if (... Vendor 16
  19. 19. /* 1 * source * code Voting 2 */ Machine if (... Vendor 16
  20. 20. /* 1 * source * code Polling Voting */ 3 2 Location Machine if (... Vendor 16
  21. 21. /* 1 * source * code Polling Voting */ 3 2 Location Machine if (... Vendor 4 Alice 16
  22. 22. /* 1 * source * code Polling Voting */ 3 2 Location Machine if (... Vendor 4 Alice 16
  23. 23. /* 1 * source * code Polling Voting */ 3 2 Location Machine if (... Vendor 4 Alice 5 Ballot Box Collection 16
  24. 24. /* 1 * source * code Polling Voting */ 3 2 Location Machine if (... Vendor 4 Alice Results 5 6 ..... Ballot Box Collection 16
  25. 25. /* 1 * source * code Polling Voting */ 3 2 Location Machine if (... Vendor 4 Alice Results 5 6 ..... Ballot Box Collection Black Box 16
  26. 26. Chain of Custody
  27. 27. Chain of Custody
  28. 28. Chain of Custody
  29. 29. Chain of Custody
  30. 30. Chain of Custody
  31. 31. Initially, cryptographers re-created physical processes in the digital arena. 18
  32. 32. Then, a realization: cryptography enables a new voting paradigm Secrecy + Auditability. 19
  33. 33. 20
  34. 34. Public Ballots Bulletin Board Bob: McCain Carol: Obama 21
  35. 35. Public Ballots Bulletin Board Bob: McCain Carol: Obama Alice 21
  36. 36. Public Ballots Bulletin Board Alice: Bob: Obama McCain Carol: Obama Alice 21
  37. 37. Public Ballots Bulletin Board Alice: Bob: Obama McCain Carol: Obama Tally Obama....2 McCain.... Alice 1 21
  38. 38. Encrypted Public Ballots Bulletin Board Alice: Bob: Rice Clinton Carol: Rice Tally Obama....2 McCain.... Alice 1 22
  39. 39. Encrypted Public Ballots Bulletin Board Alice: Bob: Rice Clinton Carol: Ali Rice ce ver Tally ifies he rv Obama....2 ote McCain.... Alice 1 22
  40. 40. Encrypted Public Ballots Bulletin Board Alice: Bob: Rice Clinton Carol: Ali ce Rice ta lly e hTally ver ifi ifie st es he ne ver rv ve ryo Obama....2 ote E McCain.... Alice 1 22
  41. 41. End-to-End Verification
  42. 42. End-to-End Verification /* * source * code Voting */ Machine if (... Vendor Polling Location
  43. 43. End-to-End Verification /* * source * code Voting */ Machine if (... Vendor Ballot Box / Polling Bulletin Board Location Alice
  44. 44. End-to-End Verification /* * source * code Voting */ Machine if (... Vendor Ballot Box / Results Polling Bulletin Board Location ..... Alice
  45. 45. End-to-End Verification /* * source * code Voting */ Machine if (... Vendor Ballot Box / Results Polling Bulletin Board Location ..... 1 Alice Receipt
  46. 46. End-to-End Verification /* * source * code Voting */ Machine if (... Vendor Ballot Box / Results Polling Bulletin Board Location ..... 1 2 Alice Receipt
  47. 47. Democratizing Audits Each voter is responsible for checking their receipt (no one else can.) Anyone, a voter or a public org, can audit the tally and verify the list of cast ballots. Thus, OPEN-AUDIT Voting. 24
  48. 48. 2. Cryptography is not just about secrets, creates trust between competitors. 25
  49. 49. NO! Increased transparency when some data must remain secret. 26
  50. 50. So, yes, we encrypt, and then we operate on the encrypted data in public, so everyone can see. In particular, because the vote is encrypted, it can remain labeled with voter’s name. 27
  51. 51. “Randomized” Encryption 28
  52. 52. “Randomized” Encryption Keypair consists of a public key pk and a secret key sk . 28
  53. 53. “Randomized” Encryption Keypair consists of a public key pk and a secret key sk . "Obama" Enc pk 8b5637 28
  54. 54. “Randomized” Encryption Keypair consists of a public key pk and a secret key sk . "Obama" Enc pk 8b5637 "McCain" Enc pk c5de34 28
  55. 55. “Randomized” Encryption Keypair consists of a public key pk and a secret key sk . "Obama" Enc pk 8b5637 "McCain" Enc pk c5de34 "Obama" Enc pk a4b395 28
  56. 56. Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. 8b5637 29
  57. 57. Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk1 b739cb 8b5637 29
  58. 58. Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk1 b739cb Dec sk2 261ad7 8b5637 29
  59. 59. Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk1 b739cb Dec sk2 261ad7 8b5637 Dec sk3 7231bc 29
  60. 60. Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk1 b739cb Dec sk2 261ad7 8b5637 Dec sk3 7231bc Dec sk4 8239ba 29
  61. 61. Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk1 b739cb Dec sk2 261ad7 8b5637 "Obama" Dec sk3 7231bc Dec sk4 8239ba 29
  62. 62. Homomorphic Encryption 30
  63. 63. Homomorphic Encryption Enc(m1 ) × Enc(m2 ) = Enc(m1 + m2 ) 30
  64. 64. Homomorphic Encryption Enc(m1 ) × Enc(m2 ) = Enc(m1 + m2 ) 30
  65. 65. Homomorphic Encryption Enc(m1 ) × Enc(m2 ) = Enc(m1 + m2 ) g m1 ×g m2 = g m 1 +m 2 30
  66. 66. Homomorphic Encryption Enc(m1 ) × Enc(m2 ) = Enc(m1 + m2 ) g m1 ×g m2 = g m 1 +m 2 then we can simply add “under cover” of encryption! 30
  67. 67. Mixnets c = Encpk1 (Encpk2 (Encpk3 (m))) Each mix server “unwraps” a layer of this encryption onion. 31
  68. 68. Proving certain details while keeping others secret. Proving a ciphertext encodes a given message without revealing its random factor. 32
  69. 69. Zero-Knowledge Proof 33
  70. 70. Zero-Knowledge Proof President: President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse Vote For: Mickey Mouse Obama Vote For: Obama 33
  71. 71. Zero-Knowledge Proof President: President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse Vote For: Mickey Mouse Obama Vote For: Obama This last envelope likely contains “Obama” 33
  72. 72. Zero-Knowledge Proof President: President: President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse Vote For: Mickey Mouse Vote For: Mickey Mouse Obama McCain Paul Open envelopes don’t prove anything after the fact. 34
  73. 73. Electronic Experience Voter interacts with a voting machine Voting Machine Alice Obtains a freshly printed receipt that displays the encrypted ballot Encrypted Vote Takes the receipt home and uses it as a tracking number. Receipts posted for public tally. 35
  74. 74. Paper Experience David Adam Bob Charlie David _______ Adam _______ Bob _______ Pre-print paper ballots with some indirection betw candidate and choice Charlie _______ _______ 8c3sw _______ _______ _______ 8c3sw Break the indirection (tear, detach) Adam - x 8c3sw for effective encryption Bob - q Charlie - r David - m Take receipt home and use it Adam - x Bob - q 8c3sw as tracking number. Charlie - r q q David - m r r m m x x 8c3sw Receipts posted for public tally. q r m x 36
  75. 75. 3. Cryptography-based Voting (Open-Audit Voting) is closing in on practicality. 37
  76. 76. Benaloh Casting 38
  77. 77. Benaloh Casting Alice 38
  78. 78. Benaloh Casting "Obama" Alice 38
  79. 79. Benaloh Casting "Obama" Encrypted Ballot Alice 38
  80. 80. Benaloh Casting "Obama" Encrypted Ballot Alice Alice 38
  81. 81. Benaloh Casting "Obama" Encrypted Ballot Alice "AUDIT" Alice 38
  82. 82. Benaloh Casting "Obama" Encrypted Ballot Alice "AUDIT" Decrypted Ballot Alice 38
  83. 83. Benaloh Casting "Obama" Encrypted Ballot Alice "AUDIT" Decrypted Ballot Alice Encrypted Decrypted Ballot Ballot VERIFICATION 38
  84. 84. Benaloh Casting "Obama" Encrypted Ballot Alice "AUDIT" Decrypted Ballot Alice Encrypted Decrypted Ballot Ballot VERIFICATION 38
  85. 85. Benaloh Casting "Obama" Encrypted Ballot Alice "AUDIT" Decrypted Ballot Alice Encrypted Decrypted Ballot Ballot VERIFICATION 38
  86. 86. Benaloh Casting "Obama" Encrypted Ballot Alice "AUDIT" Decrypted Ballot Alice Alice Encrypted Decrypted Ballot Ballot VERIFICATION 38
  87. 87. Benaloh Casting "Obama" Encrypted Ballot Alice "AUDIT" "CAST" Decrypted Ballot Alice Alice Encrypted Decrypted Ballot Ballot VERIFICATION 38
  88. 88. Benaloh Casting "Obama" Encrypted Ballot Alice "AUDIT" "CAST" Decrypted Signed Ballot Encrypted Ballot Alice Alice Encrypted Decrypted Ballot Ballot VERIFICATION 38
  89. 89. Benaloh Casting "Obama" Encrypted Ballot Alice "AUDIT" "CAST" Decrypted Signed Ballot Encrypted Ballot Alice Alice Encrypted Decrypted Ballot Ballot VERIFICATION Alice 38
  90. 90. Benaloh Casting "Obama" Encrypted Ballot Alice "AUDIT" "CAST" Decrypted Signed Ballot Encrypted Ballot Alice Alice Encrypted Decrypted Ballot Ballot Signed Encrypted Ballot VERIFICATION Alice 38
  91. 91. Many more great ideas Neff ’s MarkPledge ➡ high-assurance, human-verifiable, proofs of correct encryption Scantegrity ➡ closely mirrors opscan voting ThreeBallot by Rivest ➡ teaching the concept of open-audit without deep crypto STV: Ramchen, Teague, Benaloh & Moran. ➡ handling complex election styles Prêt-à-Voter by Ryan et al. ➡ elegant, simple, paper-based 39
  92. 92. Deployments! UCL (25,000 voters) Scantegrity @ Takoma Park SCV 40
  93. 93. Three Points 1. Voting is a unique trust problem. 2. Cryptography is not just about secrets, it creates trust between competitors, it democratizes the auditing process. 3. Open-Audit Voting is closing in on practicality. 41
  94. 94. My Fear: computerization of voting is inevitable. without open-audit, the situation is grim. 42
  95. 95. My Hope: proofs for auditing partially-secret processes will soon be as common as public- key crypto is now. 43
  96. 96. Challenge: Ed Felten: “you have no voter privacy, deal with it.” 44
  97. 97. Challenge: Ed Felten: “you have no voter privacy, deal with it.” 44
  98. 98. Questions? 45
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×