Efficient Receipt-Free
Ballot Casting
Resistant to Covert
Channels
Ben Adida
C. Andrew Neff
EVT / WOTE
August 11th, 2009
Montreal, Canada

Andy uses a voting machine
to prepare a ballot.
Andy wants to verify that
the machine properly
encrypted the ballot.
2

Neff ’s MarkPledge
and Moran-Naor.
Two Problems.
1) 2 ciphertexts per challenge bit (40-50)
2) machine can use ballot to leak plaintext.
3

MarkPledge2
efficient ballot encoding:
2 ciphertexts for any challenge length
covert-channel resistance:
no leakage via the ballot.
voting machine is significantly simplified.
➡ simpler voting machine = less chance of errors.
4

Voter Experience
5

Voter Experience
Voter
Check-in
Andy _________
Ben _________
5

Voter Experience
Voter
Check-in
Andy VHTI
_________
Ben _________
5

Voter Experience
Voter
Check-in
Andy VHTI
_________
Ben _________
Hillary
Barack
John
Bill
5

Voter Experience
Voter
Check-in
Andy VHTI
_________
Ben _________
Hillary
Barack
John
Bill
5

Voter Experience
Voter
Check-in
Andy VHTI
_________
Ben _________
Hillary
Barack Barack
John 8DX5
Bill
5

Voter Experience
Voter
Check-in
Andy VHTI
_________
Ben _________
Hillary
Barack Barack Challenge?
John 8DX5
Bill
5

Voter Experience
Voter
Check-in
Andy VHTI
_________
Ben _________
Hillary
Barack Barack Challenge?
John 8DX5 VHTI
Bill
5

Voter Experience
Voter Receipt
Check-in
Hillary MCN3
Andy VHTI
_________ Barack 8DX5
Ben _________ John I341
Bill LQ21
Challenge
Hillary VHTI
Barack Barack Challenge?
John 8DX5 VHTI
Bill
5

Voter Experience
Voter Receipt
Check-in
Hillary MCN3
Andy VHTI
_________ Barack 8DX5
Ben _________ John I341
Bill LQ21
Challenge
Hillary VHTI
Barack Barack Challenge?
John 8DX5 VHTI
Bill
5

Voter Experience
Voter Receipt
Check-in
Hillary MCN3
Andy VHTI
_________ Barack 8DX5
Ben _________ John I341
Bill LQ21
Challenge
Hillary VHTI
Barack Barack Challenge?
John 8DX5 VHTI
Bill
5

Special Bit Encryption
Hillary 0
Barack 1
Encrypt a 0 or 1
John
for each candidate
0
Bill 0
Special proof protocol
➡ for bit b=1
➡ meaningful short strings
as part of the commitment
➡ short challenge strings
for real and simulated proofs
6

Special Bit Encryption
Hillary 0
Barack 1
Encrypt a 0 or 1
John
for each candidate
0
Bill 0
Special proof protocol
➡ for bit b=1
➡ meaningful short strings
<ciphertexts>, "8DX5"
as part of the commitment
➡ short challenge strings
for real and simulated proofs
6

Special Bit Encryption
Hillary 0
Barack 1
Encrypt a 0 or 1
John
for each candidate
0
Bill 0
Special proof protocol
➡ for bit b=1
➡ meaningful short strings
<ciphertexts>, "8DX5"
as part of the commitment
"VHTI" ➡ short challenge strings
for real and simulated proofs
6

Special Bit Encryption
Hillary 0
Barack 1
Encrypt a 0 or 1
John
for each candidate
0
Bill 0
Special proof protocol
➡ for bit b=1
➡ meaningful short strings
<ciphertexts>, "8DX5"
as part of the commitment
"VHTI" ➡ short challenge strings
for real and simulated proofs
reveal enc factors
6

Voter Experience (II)
Hillary 0
Barack 1
John 0
Bill 0
7

Voter Experience (II)
<ciphertexts>, !!!!!!!!!!
Hillary 0
<ciphertexts>, "8DX5"
Barack 1
<ciphertexts>, !!!!!!!!!!
John 0
<ciphertexts>, !!!!!!!!!!
Bill 0
7

Voter Experience (II)
<ciphertexts>, !!!!!!!!!!
Hillary
"VHTI"
0
<ciphertexts>, "8DX5"
Barack 1 "VHTI"
<ciphertexts>, !!!!!!!!!!
John 0 "VHTI"
<ciphertexts>, !!!!!!!!!!
Bill 0
"VHTI"
7

Voter Experience (II)
<ciphertexts>, "MCN3"
Hillary
"VHTI"
0
<ciphertexts>, "8DX5"
Barack 1 "VHTI"
<ciphertexts>, "I341"
John 0 "VHTI"
<ciphertexts>, "LQ21"
Bill 0
"VHTI"
7

Voter Experience (II)
<ciphertexts>, "MCN3"
Hillary
"VHTI"
0 reveal enc factors
<ciphertexts>, "8DX5"
Barack 1 "VHTI"
reveal enc factors
<ciphertexts>, "I341"
John 0 "VHTI"
reveal enc factors
<ciphertexts>, "LQ21"
Bill 0
"VHTI"
reveal enc factors
7

Voter Experience (II)
<ciphertexts>, "MCN3"
Hillary
"VHTI" MCN3
0 reveal enc factors
<ciphertexts>, "8DX5"
Barack 1 "VHTI"
reveal enc factors
8DX5
<ciphertexts>, "I341"
John 0 "VHTI"
reveal enc factors
I341
<ciphertexts>, "LQ21"
Bill 0
"VHTI"
reveal enc factors LQ21
7

MarkPledge & Moran-Naor
BitEnc(1) 0 0 1 1 ... 0 0
Pledge 0 1 ... 0
Challenge 1 1 ... 0
Reveal 0 0 1 1 ... 0 0
unique
BitEnc(0) 1 0 0 1 ... 0 1
that fits the
challenge
8

Markpledge 2
different bit encryption
(α, β) ∈ Zq ,
2
with α + β = 1
2 2
➡ isomorphic to SO(2, q)
➡ operation is rotation (matrix mult.)
Designate 1-, 0-, and T-vectors
➡ any pair of a 1-vector and 0-vector
bisected by a test vector
➡ dot-product with test vector.
9

Same pattern emerges
MarkPledge MarkPledge2
BitEnc(1) 0 0 1 1 ... 0 0 xi yi
Pledge 0 1 ... 0 i
Challenge 1 1 ... 0 xC,yC
Reveal 0 0 1 1 ... 0 0 xCxi + yCyi
m0,i
chal
unique
xi,yi
BitEnc(0) 1 0 0 1 ... 0 1
that fits the
challenge
10

Covert Channel
Raised by Karloff, Sastry & Wagner
If the voting machine chooses the
random factor, it can embed info
Can we make the voting machine
fully deterministic given a voter ID
and a selection in a given race?
11

Covert Channel
Ballot #42
1 0 0 0 0
2, r'1
Trustee #1
0 0 1 0 0 Ballot #42
7 = 2 mod 5
1, r'2
Trustee #2
0 0 0 1 0 r'1 + r'2 + r'3
Voting Machine
4, r'3
Trustee #3
0 0 1 0 0
Bulletin Board
Ballot #42
0 0 1 0 0
Pre-generate ciphertexts with trustees
Rotate them on voter selection
12

Why is this receipt-free?
What can the coercer ask the voter
to do that affects the ballot / receipt?
Only the challenge, which is selected
before the voter enters the booth.
All proofs will look the same,
whether real or simulated.
13

Questions?
14