Helios - Real-World Open-Audit Voting

Helios - Real-World Open-Audit Voting
Helios real-world open-audit voting Ben Adida Harvard University Workshop on Electronic Voting Tel Aviv University 18 May 2009
http://www.cs.uiowa.edu/~jones/voting/pictures/ 2
Who counts the votes?
http://www.cs.uiowa.edu/~jones/voting/pictures/ 4
Democratizing the Tallying Process + secrecy
Public Ballots Bulletin Board Bob: McCain Carol: Obama 6
Public Ballots Bulletin Board Bob: McCain Carol: Obama Alice 6
Public Ballots Bulletin Board Alice: Bob: Obama McCain Carol: Obama Alice 6
Public Ballots Bulletin Board Alice: Bob: Obama McCain Carol: Obama Tally Obama....2 McCain....1 Alice 6
Encrypted Public Ballots Bulletin Board Alice: Bob: Rice Clinton Carol: Rice Tally Obama....2 McCain....1 Alice 7
Encrypted Public Ballots Bulletin Board Alice: Bob: Rice Clinton Carol: Ali Rice ce ver Tally ifie s he rv Obama....2 ote McCain....1 Alice 7
Encrypted Public Ballots Bulletin Board Alice: Bob: Rice Clinton Carol: Ali ce Rice ta lly ver e thTally ifie rifies s he ne ve rv ver yo Obama....2 ote E McCain....1 Alice 7
How can we verify operations on encrypted data? Mathematical Proofs. 8
Zero-Knowledge Proof President: President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse Vote For: Mickey Mouse Obama Vote For: Obama 9
Zero-Knowledge Proof President: President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse Vote For: Mickey Mouse Obama Vote For: Obama 9
Zero-Knowledge Proof President: President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse Vote For: Mickey Mouse Obama Vote For: Obama This last envelope likely contains “Obama” 9
Zero-Knowledge Proof President: President: President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse President: Mickey Mouse Vote For: Mickey Mouse Vote For: Mickey Mouse Obama McCain Paul Open envelopes don’t prove anything after the fact. 10
“And there are cryptographic techniques that can be used to achieve software independence so that even if there's a bug in the software, you'll detect if there's a problem. But those are not ready for prime time in my opinion.” Avi Rubin, 7/9/2008
“But with cryptography, you’re just moving the black box. Few people really understand it or trust it.” Debra Bowen California Sec. of State, 7/30/2008 (paraphrased)
Where to Start?
Most Open-Audit schemes Complex voting process In-person voting Few can experience it
Helios Simplify Low-coercion elections Web-based: all can experience
“Low-Coercion?” - A more appropriate term might be “stratified coercion” - If the voting public is a subset of the population, there may be inherent limits to coercion. - e.g. university voting - e.g. EFCA in the US
Technical Concepts
Technical Concepts - Probabilistic Encryption & Threshold Decryption. posting ciphertexts safely on a bulletin board
Technical Concepts - Probabilistic Encryption & Threshold Decryption. posting ciphertexts safely on a bulletin board - Homomorphic Tallying. no write-ins, proofs of correct plaintext
Technical Concepts - Probabilistic Encryption & Threshold Decryption. posting ciphertexts safely on a bulletin board - Homomorphic Tallying. no write-ins, proofs of correct plaintext - Benaloh Challenge. cast or audit, authenticate only upon cast
Technical Concepts - Probabilistic Encryption & Threshold Decryption. posting ciphertexts safely on a bulletin board - Homomorphic Tallying. no write-ins, proofs of correct plaintext - Benaloh Challenge. cast or audit, authenticate only upon cast - In-Browser Encryption. plaintext only in user’s browser
Probabilistic Encryption & Threshold Decryption
Public-Key Encryption
Public-Key Encryption Keypair consists of a public key pk and a secret key sk.
Public-Key Encryption Keypair consists of a public key pk and a secret key sk. quot;Obamaquot; Enc pk 8b5637
Public-Key Encryption Keypair consists of a public key pk and a secret key sk. quot;Obamaquot; Enc pk 8b5637 quot;McCainquot; Enc pk c5de34
Public-Key Encryption Keypair consists of a public key pk and a secret key sk. quot;Obamaquot; Enc pk 8b5637 quot;McCainquot; Enc pk c5de34 quot;Obamaquot; Enc pk a4b395
Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. 8b5637
Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk1 b739cb 8b5637
Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk1 b739cb Dec sk2 261ad7 8b5637
Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk1 b739cb Dec sk2 261ad7 8b5637 Dec sk3 7231bc
Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk1 b739cb Dec sk2 261ad7 8b5637 Dec sk3 7231bc Dec sk4 8239ba
Threshold Decryption Secret key is shared amongst multiple parties: all (or at least a quorum) need to cooperate to decrypt. Dec sk1 b739cb Dec sk2 261ad7 8b5637 quot;Obamaquot; Dec sk3 7231bc Dec sk4 8239ba
Homomorphic Tallying
Homomorphic Property First: r’th residuosity [Benaloh85] Also: Paillier Cryptosystem [P99] 22
Homomorphic Property Enc(m1 ) × Enc(m2 ) = Enc(m1 + m2 ) First: r’th residuosity [Benaloh85] Also: Paillier Cryptosystem [P99] 22
Homomorphic Property Enc(m1 ) × Enc(m2 ) = Enc(m1 + m2 ) First: r’th residuosity [Benaloh85] Also: Paillier Cryptosystem [P99] 22
Homomorphic Property Enc(m1 ) × Enc(m2 ) = Enc(m1 + m2 ) then we can simply add votes “under cover” of encryption! First: r’th residuosity [Benaloh85] Also: Paillier Cryptosystem [P99] 22
Homomorphic Tally Vote for None Adam 0001 0000 0000 0000 Vote for Vote for Vote for Bob 0000 0001 0000 0000 Obama Vote for McCain 0000 0000 0001 0000 Vote for Charlie 0000 0000 0000 0001 Vote for David 0003 0001 0008 0002 0004 0006 0005 Sample Tally [B+2001, P1999] 23
Benaloh Casting Protocol
http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
Alice http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
quot;Obamaquot; Alice http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
quot;Obamaquot; Encrypted Ballot Alice http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
quot;Obamaquot; Encrypted Ballot Alice Alice http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; Alice http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; Decrypted Ballot Alice http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; Decrypted Ballot Alice Encrypted Decrypted Ballot Ballot VERIFICATION http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; Decrypted Ballot Alice Alice Encrypted Decrypted Ballot Ballot VERIFICATION http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; quot;CASTquot; Decrypted Ballot Alice Alice Encrypted Decrypted Ballot Ballot VERIFICATION http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; quot;CASTquot; Decrypted Signed Ballot Encrypted Ballot Alice Alice Encrypted Decrypted Ballot Ballot VERIFICATION http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; quot;CASTquot; Decrypted Signed Ballot Encrypted Ballot Alice Alice Encrypted Decrypted Ballot Ballot VERIFICATION Alice http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
quot;Obamaquot; Encrypted Ballot Alice quot;AUDITquot; quot;CASTquot; Decrypted Signed Ballot Encrypted Ballot Alice Alice Encrypted Decrypted Ballot Ballot Signed Encrypted Ballot VERIFICATION Alice http://en.wikipedia.org/wiki/Image:Barcode-scanner.jpg
Helios System Details
Helios System Details - Python & JavaScript logic & crypto
Helios System Details - Python & JavaScript logic & crypto - Free/Open-Source stack
Helios System Details - Python & JavaScript logic & crypto - Free/Open-Source stack - Deployed on Google App Engine
Helios System Details - Python & JavaScript logic & crypto - Free/Open-Source stack - Deployed on Google App Engine - Deployed on Apache/Python/PostgreSQL
Helios System Details - Python & JavaScript logic & crypto - Free/Open-Source stack - Deployed on Google App Engine - Deployed on Apache/Python/PostgreSQL - Customizable authentication, look-and-feel, translations
So, does it work? - Université catholique de Louvain - 25,000 eligible voters - University president election - Helios 2.0, optimized - customized for UCL (French, improved UI)
28
29
30
500 500 1st round 1st round 2nd round 2nd round 400 DAY 1 400 DAY 2 Number of votes per hour Number of votes per hour 300 300 200 200 100 100 0 0 0 2 4 6 8 10 12 14 16 18 20 22 0 2 4 6 8 10 12 14 16 18 20 22 Time [h] Time [h] 4000 4000 3500 3500 3000 3000 Total number of votes Total number of votes 2500 2500 2000 2000 1500 1500 1000 1000 DAY 1 1st round DAY 2 1st round 2nd round 2nd round 500 500 0 0 0 2 4 6 8 10 12 14 16 18 20 22 0 2 4 6 8 10 12 14 16 18 20 22 Time [h] Time [h] 31
32
32
32
Most Interesting Lesson: spurious claims are easily countered
brief demo
Questions? ben_adida@harvard.edu http://heliosvoting.org/

Check these out next

Helios - Real-World Open-Audit Voting

Recommended

More Related Content

Recently uploaded(20)

Featured(20)

Helios - Real-World Open-Audit Voting