Cryptography and Voting
•5 likes•2,929 views
Report
Share
Download to read offline
EVT/WOTE 2009 Invited Talk on Cryptography and Voting for non-cryptographers.
More Related Content
Viewers also liked
Viewers also liked(16)
Recently uploaded
Recently uploaded(20)
Cryptography and Voting
- 1. Cryptography and Voting Ben Adida Harvard University EVT & WOTE August 11th, 2009 Montreal, Canada
- 2. “If you think cryptography is the solution to your problem.... 2
- 3. ... then you don’t understand cryptography... 3
- 4. ... then you don’t understand cryptography... ... and you don’t understand your problem.” -Peter, Butler, Bruce 3
- 5. Yet, cryptography solves problems that initially appear to be impossible. 4
- 6. There is a potential paradigm shift. A means of election verification far more powerful than other methods. 5
- 7. Three Points 1. Voting is a unique trust problem. 2. Cryptography is not just about secrets, it creates trust between competitors, it democratizes the auditing process. 3. Open-Audit Voting is closing in on practicality. 6
- 8. 1. Voting is a unique trust problem. 7
- 9. “Swing Vote” terrible movie. hilarious ending. 8
- 10. Wooten got the news from his wife, Roxanne, who went to City Hall on Wednesday to see the election results. "She saw my name with zero votes by it. She came home and asked me if I had voted for myself or not." 9
- 11. 10
- 12. 11
- 13. Bad Analogies Dan Wallach’s great rump session talk. More than that ATMs and planes are vulnerable (they are, but that’s not the point) It’s that voting is much harder. 12
- 14. Bad Analogies Adversaries ➡ pilots vs. passengers (airline is on your side, I think.) ➡ banking privacy is only voluntary: you are not the enemy. Failure Detection & Recover ➡ plane crashes & statements vs. 2% election fraud ➡ Full banking receipts vs. destroying election evidence Imagine ➡ a bank where you never get a receipt. ➡ an airline where the pilot is working against you. 13
- 15. Ballot secrecy conflicts with auditing, cryptography can reconcile them. 14
- 17. 16
- 18. /* 1 * source * code */ if (... Vendor 16
- 19. /* 1 * source * code Voting 2 */ Machine if (... Vendor 16
- 20. /* 1 * source * code Polling Voting */ 3 2 Location Machine if (... Vendor 16
- 21. /* 1 * source * code Polling Voting */ 3 2 Location Machine if (... Vendor 4 Alice 16
- 22. /* 1 * source * code Polling Voting */ 3 2 Location Machine if (... Vendor 4 Alice 16
- 23. /* 1 * source * code Polling Voting */ 3 2 Location Machine if (... Vendor 4 Alice 5 Ballot Box Collection 16
- 24. /* 1 * source * code Polling Voting */ 3 2 Location Machine if (... Vendor 4 Alice Results 5 6 ..... Ballot Box Collection 16
- 25. /* 1 * source * code Polling Voting */ 3 2 Location Machine if (... Vendor 4 Alice Results 5 6 ..... Ballot Box Collection Black Box 16
- 26. Chain of Custody
- 27. Chain of Custody
- 28. Chain of Custody
- 29. Chain of Custody
- 30. Chain of Custody
- 31. Initially, cryptographers re-created physical processes in the digital arena. 18
- 32. Then, a realization: cryptography enables a new voting paradigm Secrecy + Auditability. 19
- 33. 20
- 34. Public Ballots Bulletin Board Bob: McCain Carol: Obama 21
- 35. Public Ballots Bulletin Board Bob: McCain Carol: Obama Alice 21
- 36. Public Ballots Bulletin Board Alice: Bob: Obama McCain Carol: Obama Alice 21
- 37. Public Ballots Bulletin Board Alice: Bob: Obama McCain Carol: Obama Tally Obama....2 McCain.... Alice 1 21
- 38. Encrypted Public Ballots Bulletin Board Alice: Bob: Rice Clinton Carol: Rice Tally Obama....2 McCain.... Alice 1 22
- 39. Encrypted Public Ballots Bulletin Board Alice: Bob: Rice Clinton Carol: Ali Rice ce ver Tally ifies he rv Obama....2 ote McCain.... Alice 1 22
- 40. Encrypted Public Ballots Bulletin Board Alice: Bob: Rice Clinton Carol: Ali ce Rice ta lly e hTally ver ifi ifie st es he ne ver rv ve ryo Obama....2 ote E McCain.... Alice 1 22
- 42. End-to-End Verification /* * source * code Voting */ Machine if (... Vendor Polling Location
- 43. End-to-End Verification /* * source * code Voting */ Machine if (... Vendor Ballot Box / Polling Bulletin Board Location Alice
- 44. End-to-End Verification /* * source * code Voting */ Machine if (... Vendor Ballot Box / Results Polling Bulletin Board Location ..... Alice
- 45. End-to-End Verification /* * source * code Voting */ Machine if (... Vendor Ballot Box / Results Polling Bulletin Board Location ..... 1 Alice Receipt
- 46. End-to-End Verification /* * source * code Voting */ Machine if (... Vendor Ballot Box / Results Polling Bulletin Board Location ..... 1 2 Alice Receipt
- 47. Democratizing Audits Each voter is responsible for checking their receipt (no one else can.) Anyone, a voter or a public org, can audit the tally and verify the list of cast ballots. Thus, OPEN-AUDIT Voting. 24
- 48. 2. Cryptography is not just about secrets, creates trust between competitors. 25
- 49. NO! Increased transparency when some data must remain secret. 26
- 50. So, yes, we encrypt, and then we operate on the encrypted data in public, so everyone can see. In particular, because the vote is encrypted, it can remain labeled with voter’s name. 27
- 51. “Randomized” Encryption 28
- 52. “Randomized” Encryption Keypair consists of a public key pk and a secret key sk . 28
- 53. “Randomized” Encryption Keypair consists of a public key pk and a secret key sk . "Obama" Enc pk 8b5637 28
- 54. “Randomized” Encryption Keypair consists of a public key pk and a secret key sk . "Obama" Enc pk 8b5637 "McCain" Enc pk c5de34 28
- 55. “Randomized” Encryption Keypair consists of a public key pk and a secret key sk . "Obama" Enc pk 8b5637 "McCain" Enc pk c5de34 "Obama" Enc pk a4b395 28
- 56. Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. 8b5637 29
- 57. Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk1 b739cb 8b5637 29
- 58. Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk1 b739cb Dec sk2 261ad7 8b5637 29
- 59. Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk1 b739cb Dec sk2 261ad7 8b5637 Dec sk3 7231bc 29
- 60. Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk1 b739cb Dec sk2 261ad7 8b5637 Dec sk3 7231bc Dec sk4 8239ba 29
- 61. Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk1 b739cb Dec sk2 261ad7 8b5637 "Obama" Dec sk3 7231bc Dec sk4 8239ba 29
- 62. Homomorphic Encryption 30
- 63. Homomorphic Encryption Enc(m1 ) × Enc(m2 ) = Enc(m1 + m2 ) 30
- 64. Homomorphic Encryption Enc(m1 ) × Enc(m2 ) = Enc(m1 + m2 ) 30
- 65. Homomorphic Encryption Enc(m1 ) × Enc(m2 ) = Enc(m1 + m2 ) g m1 ×g m2 = g m 1 +m 2 30
- 66. Homomorphic Encryption Enc(m1 ) × Enc(m2 ) = Enc(m1 + m2 ) g m1 ×g m2 = g m 1 +m 2 then we can simply add “under cover” of encryption! 30
- 67. Mixnets c = Encpk1 (Encpk2 (Encpk3 (m))) Each mix server “unwraps” a layer of this encryption onion. 31
- 68. Proving certain details while keeping others secret. Proving a ciphertext encodes a given message without revealing its random factor. 32
- 69. Zero-Knowledge Proof 33
- 70. Zero-Knowledge Proof President: President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse Vote For: Mickey Mouse Obama Vote For: Obama 33
- 71. Zero-Knowledge Proof President: President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse Vote For: Mickey Mouse Obama Vote For: Obama This last envelope likely contains “Obama” 33
- 72. Zero-Knowledge Proof President: President: President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse Vote For: Mickey Mouse Vote For: Mickey Mouse Obama McCain Paul Open envelopes don’t prove anything after the fact. 34
- 73. Electronic Experience Voter interacts with a voting machine Voting Machine Alice Obtains a freshly printed receipt that displays the encrypted ballot Encrypted Vote Takes the receipt home and uses it as a tracking number. Receipts posted for public tally. 35
- 74. Paper Experience David Adam Bob Charlie David _______ Adam _______ Bob _______ Pre-print paper ballots with some indirection betw candidate and choice Charlie _______ _______ 8c3sw _______ _______ _______ 8c3sw Break the indirection (tear, detach) Adam - x 8c3sw for effective encryption Bob - q Charlie - r David - m Take receipt home and use it Adam - x Bob - q 8c3sw as tracking number. Charlie - r q q David - m r r m m x x 8c3sw Receipts posted for public tally. q r m x 36
- 75. 3. Cryptography-based Voting (Open-Audit Voting) is closing in on practicality. 37
- 76. Benaloh Casting 38
- 77. Benaloh Casting Alice 38
- 78. Benaloh Casting "Obama" Alice 38
- 79. Benaloh Casting "Obama" Encrypted Ballot Alice 38
- 80. Benaloh Casting "Obama" Encrypted Ballot Alice Alice 38
- 81. Benaloh Casting "Obama" Encrypted Ballot Alice "AUDIT" Alice 38
- 82. Benaloh Casting "Obama" Encrypted Ballot Alice "AUDIT" Decrypted Ballot Alice 38
- 83. Benaloh Casting "Obama" Encrypted Ballot Alice "AUDIT" Decrypted Ballot Alice Encrypted Decrypted Ballot Ballot VERIFICATION 38
- 84. Benaloh Casting "Obama" Encrypted Ballot Alice "AUDIT" Decrypted Ballot Alice Encrypted Decrypted Ballot Ballot VERIFICATION 38
- 85. Benaloh Casting "Obama" Encrypted Ballot Alice "AUDIT" Decrypted Ballot Alice Encrypted Decrypted Ballot Ballot VERIFICATION 38
- 86. Benaloh Casting "Obama" Encrypted Ballot Alice "AUDIT" Decrypted Ballot Alice Alice Encrypted Decrypted Ballot Ballot VERIFICATION 38
- 87. Benaloh Casting "Obama" Encrypted Ballot Alice "AUDIT" "CAST" Decrypted Ballot Alice Alice Encrypted Decrypted Ballot Ballot VERIFICATION 38
- 88. Benaloh Casting "Obama" Encrypted Ballot Alice "AUDIT" "CAST" Decrypted Signed Ballot Encrypted Ballot Alice Alice Encrypted Decrypted Ballot Ballot VERIFICATION 38
- 89. Benaloh Casting "Obama" Encrypted Ballot Alice "AUDIT" "CAST" Decrypted Signed Ballot Encrypted Ballot Alice Alice Encrypted Decrypted Ballot Ballot VERIFICATION Alice 38
- 90. Benaloh Casting "Obama" Encrypted Ballot Alice "AUDIT" "CAST" Decrypted Signed Ballot Encrypted Ballot Alice Alice Encrypted Decrypted Ballot Ballot Signed Encrypted Ballot VERIFICATION Alice 38
- 91. Many more great ideas Neff ’s MarkPledge ➡ high-assurance, human-verifiable, proofs of correct encryption Scantegrity ➡ closely mirrors opscan voting ThreeBallot by Rivest ➡ teaching the concept of open-audit without deep crypto STV: Ramchen, Teague, Benaloh & Moran. ➡ handling complex election styles Prêt-à-Voter by Ryan et al. ➡ elegant, simple, paper-based 39
- 92. Deployments! UCL (25,000 voters) Scantegrity @ Takoma Park SCV 40
- 93. Three Points 1. Voting is a unique trust problem. 2. Cryptography is not just about secrets, it creates trust between competitors, it democratizes the auditing process. 3. Open-Audit Voting is closing in on practicality. 41
- 94. My Fear: computerization of voting is inevitable. without open-audit, the situation is grim. 42
- 95. My Hope: proofs for auditing partially-secret processes will soon be as common as public- key crypto is now. 43
- 96. Challenge: Ed Felten: “you have no voter privacy, deal with it.” 44
- 97. Challenge: Ed Felten: “you have no voter privacy, deal with it.” 44
- 98. Questions? 45