Voting Security Overview

(Electronic) Voting Security Ben Adida Harvard University Workshop on Electronic Voting IDC Herzliya 17 May 2009

The Point of An Election

The Point of An Election “The People have spoken.... the bastards!” Dick Tuck 1966 Concession Speech

The Point of An Election “The People have spoken.... the bastards!” Dick Tuck 1966 Concession Speech Provide enough evidence to convince the loser.

\"That's for me and a button to know.\" Joe, the plumber.

5

6

Fashionable Voting http://www.cs.uiowa.edu/~jones/voting/pictures/7

Fashionable Voting 8

Voting is a fundamentally difﬁcult problem. 9

Wooten got the news from his wife, Roxanne, who went to City Hall on Wednesday to see the election results. \"She saw my name with zero votes by it. She came home and asked me if I had voted for myself or not.\" 10

14 12

14 12 1 person, 1 vote

Enforced Privacy to ensure each voter votes in his/her own interest 12

http://www.cs.uiowa.edu/~jones/voting/pictures/ 13

1892 - Australian Ballot http://www.cs.uiowa.edu/~jones/voting/pictures/ 14

The Ballot Handoff McCain Alice the Voter 17

The Ballot Handoff McCain Obama Obama Obama McCain McCain McCain Alice the Voter 17

The Ballot Handoff McCain Obama Obama Obama McCain McCain McCain Alice the Voter Black Box 17

Chain of Custody 18

Chain of Custody /* 1 * source * code */ if (... Vendor 18

Chain of Custody /* 1 * source * code Voting 2 */ Machine if (... Vendor 18

Chain of Custody /* 1 * source * code Polling Voting */ 3 2 Location Machine if (... Vendor 18

Chain of Custody /* 1 * source * code Polling Voting */ 3 2 Location Machine if (... Vendor 4 Alice 18

Chain of Custody /* 1 * source * code Polling Voting */ 3 2 Location Machine if (... Vendor 4 Alice 5 Ballot Box Collection 18

Chain of Custody /* 1 * source * code Polling Voting */ 3 2 Location Machine if (... Vendor 4 Alice Results 5 6 ..... Ballot Box Collection 18

Chain of Custody /* 1 * source * code Polling Voting */ 3 2 Location Machine if (... Vendor 4 Alice Results 5 6 ..... Ballot Box Collection Black Box 18

The Cost of Secrecy

But Secrecy is Important. Secret Ballot implemented in Chile in 1958. “the secrecy of the ballot [...] has ﬁrst-order implications for resource allocation, political outcomes, and social efﬁciency.” [BalandRobinson 2004]

Because we care about a meaningful result, we’ve made auditing very difﬁcult. 21

We are left chasing evidence of correctness. Meanwhile we destroy evidence on purpose. 22

Obtaining Evidence /* 1 * source * code Polling Voting */ 3 2 Location Machine if (... Vendor 4 Alice Results 5 6 ..... Ballot Box Collection 23

Obtaining Evidence /* 1 * source * code Polling Voting */ 3 2 Location Machine if (... Vendor - source code audit - Logic & Accuracy - Parallel Testing - Voter-Veriﬁed Paper Audit Trail

Obtaining Evidence Polling Location 3 - Multiple poll watchers competing afﬁliations - No personal 4 Alice electronic devices at the polling station - Logging all events

Obtaining Evidence - redundant counts - ballot box seals - statistical auditing by partial recounts Results 5 6 ..... Ballot Box Collection

Fragmented, Adversarial and Indirect - each piece of evidence covers a small segment of the chain. - attacker knows the checks, and can try to sneak in where the chain is not covered. - to maintain security and for practical purposes, the evidence is very indirect.

The Effect of DREs - More to audit - Errors can have disproportionate effects - Software is not just for speed/efﬁciency, it becomes central for integrity.

Software Independence an undetected mistake in the system does not cause an undetectable error in the tally.

Can we get more direct, more end-to-end evidence?

Secret Ballot vs. Veriﬁability Voting System convince Alice Carl the Coercer 31

Secret Ballot vs. Veriﬁability Voting System convince Alice Carl the Coercer [Chaum81], [Benaloh85], [PIK93], [BenalohTuinstra92], [SK94], [Neff2001], [FS2001], [Chaum2004], [Neff2004], [Ryan2004], [Chaum2005] Punchscan, Scantegrity I & II, Civitas, ThreeBallot, Prêt-à-Voter, Scratch & Vote, ... 31

Public Ballots Bulletin Board Bob: McCain Carol: Obama 32

Public Ballots Bulletin Board Bob: McCain Carol: Obama Alice 32

Public Ballots Bulletin Board Alice: Bob: Obama McCain Carol: Obama Alice 32

Public Ballots Bulletin Board Alice: Bob: Obama McCain Carol: Obama Tally Obama....2 McCain....1 Alice 32

Encrypted Public Ballots Bulletin Board Alice: Bob: Rice Clinton Carol: Rice Tally Obama....2 McCain....1 Alice 33

Encrypted Public Ballots Bulletin Board Alice: Bob: Rice Clinton Carol: Ali Rice ce ver Tally iﬁes he rv Obama....2 ote McCain....1 Alice 33

Encrypted Public Ballots Bulletin Board Alice: Bob: Rice Clinton Carol: Ali ce Rice ta lly ver e thTally iﬁes riﬁes ve he rv eryone ote E v Obama....2 McCain....1 Alice 33

End-to-End Veriﬁcation

End-to-End Veriﬁcation /* * source * code Voting */ Machine if (... Vendor Polling Location

End-to-End Veriﬁcation /* * source * code Voting */ Machine if (... Vendor Ballot Box / Polling Bulletin Board Location Alice

End-to-End Veriﬁcation /* * source * code Voting */ Machine if (... Vendor Ballot Box / Results Polling Bulletin Board Location ..... Alice

End-to-End Veriﬁcation /* * source * code Voting */ Machine if (... Vendor Ballot Box / Results Polling Bulletin Board Location ..... 1 Alice Receipt

End-to-End Veriﬁcation /* * source * code Voting */ Machine if (... Vendor Ballot Box / Results Polling Bulletin Board Location ..... 1 2 Alice Receipt

Open-Audit Elections

Evidence-Based Elections

Questions? ben_adida@harvard.edu

Voting Security Overview

0 comments

Notes on slide 1

1 Favorite