Dr ulrich wiesner

480 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
480
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Dr ulrich wiesner

  1. 1. e-VotingA Risk to Democracy Ulrich Wiesner www.ulrichwiesner.de Copenhagen, 17 June 2010
  2. 2. 20 years ago...• Copenhagen Meeting on the Human Dimensions of the CSCE, 5-29 June 1990• Adopting as general standard: – Rule of law – Free, fair, periodical elections – ... – Presence of domestic and international observers in elections
  3. 3. Topics• Situation in Germany• Requirements for democratic elections• Issues• Can cryptography fix it?
  4. 4. Convention on International Trade in Endangered Species, 2010Testing the Conference E-Voting• "Could everyone please vote Yes now?“ – 128 Yes, 7 No, 2 Abstain• "Is Doha the capital of Qatar?“ – 134 Yes, 2 No, 1 Abstain (Cameroon, Croatia, China) – 135 Yes, 2 Abstain (Nigeria, Azerbaijan)Source: The Economist, 24 March 2010, http://www.economist.com/blogs/babbage/2010/03/electronic_voting
  5. 5. Why eVoting?Inappropriate Reasons Better Reasons• Because it’s cheaper (?) • Multi-vote elections• Because we’ve already (cumulative voting) spent the money on the • Complex voting schemes equipment • Multiple races or high• Because it saves 1 hr of election frequencies counting• „Media attention for Cologne“
  6. 6. e-Voting: what is the issue?• Paper based election: white • eVoting: black box box• Ballot box is passive device• No processing: Output is input • Voting computer is active• Manipulations need to be device conducted under the • Output might be input public’s eyes • Processing not observable
  7. 7. Fraud and errors not observable• PowerVote • PowerFraudRaised as issue •by Commission on Electronic Voting in IE (2003) •by Korthals Altes commission in NL (2007) •by Federal Constitutional Court in DE (2009)Resulted in banning of e-Voting in all three countries
  8. 8. eVoting in GermanyNedap Voting machines– 1999 – 2008– 2M votes in 2005– 2’000 of 80’000 polling stationsDigital Pen– Introduction in Hamburg abandoned in 2007– No plans for internet Circle size represents number of polling voting stations using computers
  9. 9. Nedap Voting Computer
  10. 10. Digital Pen • 2D dot pattern, 90 dpi • Dots are offset in 4 directions (up, down, left, right) • Pattern of 6x6 dots provide coordinates for pen, • Addresses* 436 squares of 2x2mm2 e.g. 20’000x20’000 km2 • *)Anoto refers to 60M km2
  11. 11. Certification Process until 2009• Federal Voting Machine Act (unconstitutional) – Evaluation of sample device by Federal Institute for Physics and Technology – Certification of model by Federal Ministry of Interior – Permission for use in a specific election by Federal Ministry of Interior – No evaluation of individual devices
  12. 12. Principles of Elections• Verifiability, transparency and secrecy (procedure) ensure that elections are free, fair and general (values) se cre t free equal general in public auditable
  13. 13. Constitutional Implementation (Germany) Section 38 (1)Members of the German Bundestag shall be elected in general, direct, free, equal, and secret elections. […] Section 20 (1)The Federal Republic of Germany is a democratic and social federal state.
  14. 14. Election Scrutiny• Complaint to scrutiny committee of Bundestag – Filed Nov 2005 – Rejected Dec 2006• Complaint to Federal Constitutional court – Filed Feb 2007 – Hearing Oct 2008 – Judgement Mar 2009
  15. 15. German Federal Constitutional Court (2 BvC 3/07 – March 2009)1. The fundamental decision for the principles of democracy, republic and conduct of law require elections to be conducted in a transparent manner.2. All relevant steps need to be verifiable by the public (unless other constitutional principles require something else)3. If voting technology is used, all relevant steps of the election and the determination of the result need to be verifiable by any citizen and without any specialist knowledge .http://www.bundesverfassungsgericht.de/entscheidungen/rs20090303_2bvc000307en.html
  16. 16. CryptographyConflicting goals: Secrecy of vote and transparency/auditabilityIn e-Voting, you can’t have both
  17. 17. Approach• What all proposals have in common: – Ballots have a unique id (random/serial number) – Voters receive a receipt which contains their vote in an encrypted form – All encrypted votes are published – Voter can verify that his vote is on the list
  18. 18. Cryptography and Elections• Proposals: – Prêt-à-Voter (P A Ryan, D Chaum, S A Schneider, 2005) – ThreeBallot (R L Rivest, 2006) – Scratch & Vote (B Adida, R Rivest, 2006 ) – Punchscan (D Chaum, 2006) – Scantegrity (D Chaum, 2007) – Bingo-Voting (J M Bohli, J Müller-Quade, S Röhrich, 2007) – VoteBox (D Wallach et al, 2007) – Scantegrity 2 (D Chaum, R Rivest et al, 2008)
  19. 19. Scantegrity 2• Goal: provide additional security to optical scanning systems 123456 123456 123456 123456 123456 123456 1AC Candidate A Candidate A Candidate A W46 Candidate B Candidate B Candidate B J3C Candidate C Candidate C J3C Candidate C #123456 #123456 #123456 prepare hide voteDavid Chaum et al., 2007D. Chaum, R. Rivest, et al., 2008
  20. 20. Bingo Voting• Preparation Phase – For each voter, prepare a random number for every candidate (“dummy votes”) – Commit to candidate/number pairs – Commitments are shuffled and published on bulletin boardJens-Matthias Bohli, Jörn Müller-Quade, Bulletin BoardStefan Röhrich, 2007
  21. 21. Bingo Voting Vote for Candidate A• Voting Phase – Voter selects candidate – Fresh random number is generated (“Bingo”) and presented to voter – Machine will print receipt with • fresh random number next to chosen candidate • Dummy votes next to other candidates Bingo Voting Receipt #365345 – Voter verifies that fresh random number is next to Candidate A Candidate B Candidate C Candidate D Candidate A 7274005338 Candidate B 4331957287 the chosen candidate 6590639838 9833598816 2520374482 8363113427 7212101090 1256726340 0886217910 1929824271 Candidate C 0683785432 • Voter takes receipt home 0493602852 1282600713 4765268594 4819451232 6198852851 7628033922 2108748691 6588916051 3676093186 9837776014 5298189700 0499224103 Candidate D 6875191193 for later verification 9878973891 3001529408 4331957287 6730909097 2907441205 9453541167 6875191193 9292058742 1796122212 4044134963 9799374379 4839552381 • Receipt does not allow the 9478710903 0139099844 9424374180 1707764919 0683785432 1129607005 6737547570 7873063572 voter to proof his vote 3381155817 4714748971 8367481777 6882788475 5985589286 2959387527 7767137671 6576688585 ... ... ... ... Bulletin Board
  22. 22. Bingo Voting• With his vote for Candidate A, the voter reduces the number of remaining dummy votes for all other voters by 1• At the end of the election, the result can be determined (and verified) by counting the un-used dummy votes.
  23. 23. Bingo Voting• Post Voting Phase – Publish results – Publish all receipts – List all unused dummy votes and corresponding commitments – Prove that every unopened commitment was used on one receipt • Makes use of Randomized Partial Checking
  24. 24. Cryptography - Issues• Implementation• Usability• Verifiability• Complexity
  25. 25. Summary• Transparency and Verifiability! – Fundamental feature – Legitimates elected body• Trade offs not acceptable: – Secrecy vs. transparency/verifiability – Verifiability vs. election efficiency wahlcomputer@ulrichwiesner.de

×